diff --git a/.github/workflows/cve-enhancement.yml b/.github/workflows/cve-enhancement.yml
index d3ecfa3fb5b..c7640ef7669 100644
--- a/.github/workflows/cve-enhancement.yml
+++ b/.github/workflows/cve-enhancement.yml
@@ -52,7 +52,7 @@ jobs:
           done < /tmp/cve_files.txt
 
       - name: Commit changes
-        if: steps.files.outputs.changed == 'true'
+        if: steps.files.outputs.changed == 'true' && github.event.pull_request.head.repo.full_name == github.repository
         run: |
           if ! git diff --quiet; then
             git config user.name "github-actions[bot]"
@@ -61,3 +61,16 @@ jobs:
             git commit -m "chore: add impact and remediation fields 🤖"
             git push origin HEAD:${{ github.event.pull_request.head.ref }}
           fi
+
+      - name: Check for unapplied changes (fork PRs)
+        if: steps.files.outputs.changed == 'true' && github.event.pull_request.head.repo.full_name != github.repository
+        run: |
+          if ! git diff --quiet; then
+            echo "⚠️ This PR is from a fork. The CVE enhancement script generated changes that need to be applied manually."
+            echo "Please run the following command locally and push to your branch:"
+            echo ""
+            echo "  python .github/scripts/enhance-cve-fields.py <your-cve-file.yaml>"
+            echo ""
+            git diff
+            exit 1
+          fi