← All stories
● Covered by 1 source Β· 1 reportHigh impact

GitHub Workflows Vulnerable to Data Leak via Public Issue Manipulation

Aggregated by BrevFeed security Β· updated 1h ago
πŸ”– Save

Researchers demonstrated that a public issue can be crafted to exploit GitHub's Agentic Workflows, causing leaks of private repository data. This vulnerability arises from the agent's inability to distinguish between legitimate instructions and malicious prompts, leading to potential data exposure.

Key points

Overview of GitHub Agentic Workflows

GitHub Agentic Workflows, introduced in February and currently in public preview, allow users to create automation scripts using plain English instructions in Markdown. These workflows leverage AI models such as GitHub Copilot and OpenAI Codex to read and respond to issues and pull requests. By assigning read access tokens to agents, organizations can enable them to pull context across both public and private repositories.

The GitLost Technique Defined

The vulnerability, termed GitLost by Noma Security, allows an attacker to exploit a public issue on a repository without needing stolen credentials. If an organization has granted an agent read access across its repos, including private ones, the issue can manipulate the agent into exposing private data. Noma's proof-of-concept showcased how a deceptively simple approach could result in sensitive information leakage.

How the Exploit Works

The exploit relies on the agent's susceptibility to indirect prompt injection, where it cannot reliably discern between genuine user instructions and those disguised within content. In a test case, a maliciously crafted issue masqueraded as a legitimate request, triggering the workflow's automation to mistakenly share private repository content in a public space.

Imperfect Guardrails

GitHub has implemented various safeguards to mitigate such risks, including sandboxing and default read-only tokens. Their documentation warns of the potential for AI agents to be manipulated through prompt injection. However, during testing, a minor tweak in the prompt allowed the exploit to bypass these guardrails, highlighting a significant security gap.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

CVE CVE-2026-552008.1 HIGH CVE CVE-2026-468179.8 CRITICAL

Reporting from

Researchers demonstrated that a public issue can be crafted to exploit GitHub's Agentic Workflows, causing leaks of private repository data. This vulnerability arises from the agent's inability to distinguish between legitimate instructions and malicious prompts, leading to potential data exposure.