The vulnerability identified as CVE-2026-25598 affects the step-security Harden-Runner GitHub Action, a security agent designed to function like an Endpoint Detection and Response (EDR) tool for GitHub Actions runners. Harden-Runner monitors and enforces security policies during CI/CD workflows. Prior to version 2.14.2, Harden-Runner's egress-policy set to audit fails to log outbound network traffic that uses specific socket system calls: sendto, sendmsg, and sendmmsg. These system calls are commonly used for sending data over network sockets, including UDP and other protocols. Because these calls bypass the audit logging mechanism, malicious actors or compromised workflows could exfiltrate data or communicate with external systems without detection. This represents an insufficient logging vulnerability categorized under CWE-778, which can severely impair incident response and forensic investigations. The vulnerability does not require any privileges or user interaction to exploit, making it accessible in environments where Harden-Runner is deployed. The issue was publicly disclosed on February 9, 2026, with a CVSS 4.0 base score of 6.3 (medium severity). The fix was introduced in Harden-Runner version 2.14.2, which ensures that all outbound traffic, including that using the affected socket calls, is properly logged under the audit egress policy. No known exploits are currently reported in the wild. Organizations relying on Harden-Runner for CI/CD security monitoring should upgrade to the patched version to restore full audit visibility and prevent stealthy data exfiltration or command and control communications.

For European organizations, this vulnerability poses a risk to the integrity of CI/CD security monitoring and incident detection capabilities. Since Harden-Runner acts as an EDR for GitHub Actions runners, failure to log certain outbound network traffic can allow attackers or malicious insiders to exfiltrate sensitive code, credentials, or intellectual property without triggering alerts. This undermines compliance with data protection regulations such as GDPR, which mandate monitoring and logging of security-relevant events. The stealthy nature of the bypass could delay detection of breaches, increasing potential damage and remediation costs. Organizations with automated deployment pipelines that use GitHub Actions and Harden-Runner are particularly at risk. The medium severity rating reflects that while the vulnerability does not directly allow code execution or privilege escalation, it facilitates covert communication channels that can be leveraged in multi-stage attacks. The impact is heightened in sectors with strict regulatory oversight and high-value intellectual property, such as finance, healthcare, and critical infrastructure within Europe.

European organizations should immediately upgrade Harden-Runner to version 2.14.2 or later to ensure that all outbound network traffic is properly logged under the egress-policy audit setting. Additionally, organizations should: 1) Review and enhance their CI/CD pipeline monitoring to include network traffic analysis at the runner host level, potentially using host-based intrusion detection systems or network monitoring tools to detect anomalous outbound connections. 2) Implement strict egress network controls and firewall rules to limit outbound connections from CI/CD runners to only trusted destinations. 3) Conduct regular audits of CI/CD workflows and runner configurations to verify that security agents like Harden-Runner are up to date and properly configured. 4) Integrate Harden-Runner logs with centralized Security Information and Event Management (SIEM) systems to correlate audit logs with other security events for improved detection. 5) Educate DevOps teams about the importance of security agent updates and monitoring to maintain pipeline integrity. These steps go beyond generic patching by enhancing overall visibility and control over CI/CD runner network activity.