Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Critical Vulnerability Exposes GitHub Agentic Workflows to Prompt Injection

0
Critical
Vulnerability
Published: 07/08/2026 (07/08/2026, 10:30:55 UTC)
Source: SecurityWeek

Description

A critical prompt injection vulnerability named GitLost affects GitHub Agentic Workflows, allowing unauthenticated attackers to exploit AI-powered workflows by posting crafted public GitHub Issues. This can lead to leakage of private repository data without authentication. The vulnerability arises because the AI agent processes user-controlled content as instructions, enabling indirect prompt injection attacks. The issue was responsibly disclosed to GitHub, and mitigation involves treating user input as untrusted and restricting agent permissions.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/08/2026, 10:43:24 UTC

Technical Analysis

GitLost is a critical prompt injection vulnerability in GitHub Agentic Workflows, which enables attackers to craft public GitHub Issues that trick AI-powered workflows into exposing data from private repositories without authentication. The vulnerability exploits the fact that the AI agent reads and acts on the title and body of GitHub Issues, running with read access to both public and private repositories. By posting a malicious issue, an attacker can instruct the AI agent to fetch and publicly post sensitive files such as Readme.md from private repositories. Despite existing guardrails, the protections failed due to indirect prompt injection techniques involving keyword variations. The vulnerability requires no coding skills or credentials, only the ability to open an issue in a public repository linked to private repositories. Noma Labs disclosed the issue to GitHub and recommends treating all user-controlled content as untrusted, minimizing agent permissions, restricting public posting capabilities, and sanitizing inputs before passing them to AI agents.

Potential Impact

Unauthenticated attackers can leak sensitive data from private repositories by exploiting the AI agent's behavior in GitHub Agentic Workflows. This can result in unauthorized disclosure of confidential information without requiring any credentials or access rights. The vulnerability undermines the confidentiality of private code repositories in organizations using these workflows.

Mitigation Recommendations

As of the information provided, no explicit patch or official fix status is stated. Organizations should treat all user-controlled content as untrusted input, restrict AI agent permissions to the minimum necessary, limit what AI agents can post publicly, and sanitize user inputs before processing. Check GitHub's official advisory for any updates or patches. Since this is not a cloud service, remediation depends on the organization’s workflow configuration and updates from GitHub.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.securityweek.com/critical-vulnerability-exposes-github-agentic-workflows-to-prompt-injection/","fetched":true,"fetchedAt":"2026-07-08T10:43:19.187Z","wordCount":1114}

Threat ID: 6a4e29c7c9d9e3dbe3eed3af

Added to database: 07/08/2026, 10:43:19 UTC

Last enriched: 07/08/2026, 10:43:24 UTC

Last updated: 07/08/2026, 11:43:30 UTC

Views: 19

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses