GitHub agentic workflow flaw could expose private repositories, researchers say

by

A prompt injection flaw in GitHub Agentic Workflows can let an attacker leak data from private repositories in an organization after opening a GitHub Issue in a public repo, according to a technical analysis published yesterday.

KEY FACTS

  • Flaw Noma Security dubbed the issue GitLost.
  • Access The attack did not require an account compromise or software exploit.
  • Trigger An issue posted in a public repository could prompt the agent to read hidden commands.
  • Impact A proof of concept exposed private meeting-related data.

GitHub Agentic Workflows combines GitHub Actions with an AI agent backed by Claude or GitHub Copilot to manage repository tasks through natural language. The workflow described in the report was set to trigger on issues.assigned events, read issue titles and bodies, post comments, and run with read access to other repositories in the same organization.

The disclosure said an attacker could hide instructions in plain English inside an issue body and wait for the agent to follow them. Noma said the proof of concept resulted in exposure of information about a meeting that employees had. GitHub did not immediately comment on whether the flaw has been fixed, and Noma said GitHub updated the documentation that created the flaw.

Security researcher Sasi Levi said the agent’s context window becomes part of the attack surface when it treats issues, pull requests, comments or files as instructions. Jason Soroko of Sectigo said the attack shows how plain-language commands can bypass guardrails when an AI agent has broad permissions.

GitHub Agentic Workflows are designed to help development teams automate work across repositories, but the report said that same design can expand risk if untrusted user content is treated as trusted input. Noma advised defenders to limit cross-repository access and avoid letting user-controlled text drive agent actions.

WHY IT MATTERS

The case shows how agentic AI systems can turn ordinary repository activity into a data exposure risk when permissions are broad and trust boundaries are weak. Organizations using similar workflows may need to recheck access controls and separate user input from system instructions.