The nnU-Net framework's GitHub Issue Triage workflow prior to version 2.4.1 is vulnerable to Agentic Workflow Injection (CWE-1427). The workflow automatically triggers on issue creation and sets allowed_non_write_users to the issue creator's login, allowing any logged-in user to trigger the workflow. Untrusted issue title and body content are embedded directly into the prompt for the anthropics/claude-code-action, which runs a command-capable Claude agent with permissions to comment and relabel the issue. This enables an attacker to submit a crafted issue that manipulates the agent to perform unintended authenticated actions on the issue. The vulnerability is addressed by updating to nnU-Net version 2.4.1.

An unauthenticated attacker who can open issues on the nnU-Net GitHub repository can exploit this vulnerability to manipulate an AI agent with authenticated permissions to comment on and relabel issues. This could lead to unauthorized modification of issue metadata and comments, potentially disrupting issue triage processes or enabling further social engineering or workflow manipulation. There is no indication of code execution beyond the GitHub workflow context or impact on the underlying system beyond issue management. No known exploits in the wild have been reported.

This vulnerability is fixed in nnU-Net version 2.4.1. Users should upgrade to version 2.4.1 or later to remediate this issue. Since no official patch link or advisory is provided, verify the update availability from the vendor's official release channels. Until upgraded, restrict issue creation permissions to trusted users if possible to reduce exposure.