Full Report
A public issue can trick GitHub Agentic Workflows into leaking the contents of an organization's private repositories, researchers at Noma Security have shown. The attacker needs only to open a normal-looking issue on a public repository, with no stolen credentials and no access to the organization. If that organization has given the agent read access across its repositories, private ones
Analysis Summary
# Vulnerability: GitHub Agentic Workflow Private Repository Leak
## CVE Details
- **CVE ID**: Not yet assigned (Discovered by Noma Security)
- **CVSS Score**: Estimated 8.0 - 9.3 (High to Critical, depending on organizational configuration)
- **CWE**: CWE-918 (Server-Side Request Forgery) / CWE-863 (Incorrect Authorization) / Prompt Injection
## Affected Systems
- **Products**: GitHub Repositories utilizing AI-based Agentic Workflows (e.g., GitHub Copilot Workspace, custom GitHub Action agents).
- **Versions**: Cloud-based services as of late 2023 / early 2024.
- **Configurations**: Organizations that have granted an AI agent or GitHub App wide "Metadata" or "Content" **read access** across multiple repositories (including private ones) while the agent also monitors a public repository for incoming issues/triggers.
## Vulnerability Description
The flaw is a form of **Indirect Prompt Injection** targeting the "Chain of Thought" or tool-execution capabilities of GitHub agents.
When an AI agent is configured to process new issues on a public repository, it reads the content of the issue to determine its next steps. An attacker can craft an issue containing malicious instructions disguised as a bug report. If the agent has cross-repository permissions, the instruction can trick the agent into:
1. Searching for specific files in the organization's private repositories.
2. Reading the contents of those private files.
3. Summarizing or exfiltrating that data back into the public issue comment or via an outbound web request using allowed tools.
## Exploitation
- **Status**: Proof of Concept (PoC) demonstrated by Noma Security; no widespread exploitation in the wild currently reported.
- **Complexity**: Low (Requires only the ability to open an issue on a public repo).
- **Attack Vector**: Network (Web-based via GitHub Issue UI).
## Impact
- **Confidentiality**: **High** (Complete leakage of private source code, secrets, and internal documentation).
- **Integrity**: Low (Primary vector focuses on data exfiltration).
- **Availability**: None.
## Remediation
### Patches
- As this is a logic/architectural flaw in how agents handle untrusted input, there is no single "patch." GitHub and AI providers are working on improving prompt filtering and execution sandboxing.
### Workarounds
- **Principle of Least Privilege**: Ensure AI agents/Apps have access **only** to the specific repositories they need to function. Use "Selected Repositories" instead of "All Repositories."
- **Isolation**: Do not use the same agent/credential for both public-facing support/issue tracking and private-repo management.
- **Human-in-the-loop**: Require manual approval before an agent can take actions that involve data transfer between different security boundaries.
## Detection
- **Indicators of Compromise**: Monitor GitHub Audit Logs for AI agents/GitHub Apps accessing repositories they do not normally interact with.
- **Detection Methods**: Look for unusual patterns in Agentic "Thought" logs (if available) or audit logs where an agent performs a `Search` or `Read` command on a private repo immediately after interacting with a new public issue.
## References
- **Noma Security Research**: hxxps[://]noma[.]security/blog/github-agentic-workflows-vulnerability
- **GitHub Security Advisories**: hxxps[://]github[.]com/advisories (General reference)