Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Artificial Intelligence

Critical Vulnerability Exposes GitHub Agentic Workflows to Prompt Injection

Researchers show how attackers can use a crafted public GitHub Issue to trick AI-powered workflows into exposing data from private repositories without authentication.

A critical prompt injection vulnerability in GitHub Agentic Workflows could allow unauthenticated attackers to leak private repository data, Noma Labs warns.

GitHub Agentic Workflows allows users to write workflows in natural language using markdown files that an AI agent will use as GitHub Actions, thus automating the interaction with code repositories.

Because of the security defect, named GitLost, unauthenticated attackers can hide indirect prompts in crafted GitHub Issues posted on the public repositories of an organization that also maintains private repositories, and the AI agent will follow the instructions.

Noma Labs discovered that a GitHub Agentic Workflow was configured to trigger on issues.assigned events, read the title and body of the GitHub Issue, and post a comment in response.

The workflow, the company says, runs with read access to both public and private repositories that the organization maintains.

“To exploit this vulnerability, the attacker needed no coding skills, access, or credentials. All that was needed was to open an issue in a public repository belonging to an organization that uses GitHub’s Agentic Workflow setup and wait,” Noma explains.

Advertisement. Scroll to continue reading.

The cybersecurity firm confirmed that a crafted GitHub Issue containing a plausible-looking request from sales leadership could be used to instruct the agent to fetch the contents of Readme.md files from both public and private repositories and post them as a public comment.

While GitHub has guardrails in place to prevent this type of attack, the protections failed because the security researchers tested techniques with variations and eventually triggered the behavior by adding the keyword “additionally”.

According to Noma, to agentic AI, indirect prompt injections are the equivalent of SQL injections in web applications, and require a systematic defense strategy.

“GitLost perfectly illustrates one of the fundamental security challenges every organization faces with agentic AI systems. The agent’s context window is also its attack surface. Any content the agent reads, whether issues, pull requests, comments, or files, can be weaponized if the agent treats that content as instructional input,” Noma says.

The cybersecurity firm responsibly disclosed its findings to GitHub and recommends that organizations treat all user-controlled content as untrusted, restrict agent permissions to the minimum required, restrict what agents can post publicly, and sanitize user input before it is passed to the AI agents.

Related: CISA Reportedly Using Anthropic’s Mythos to Scan Government Software for Flaws

Related: Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments

Related: Agentic AI Used to Conduct Ransomware Attack via Langflow

Related: Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.