Vulnerability  ·  2026-07-08

GitLost: Prompt Injection in GitHub Agentic Workflows Leaks Private Repository Data via Public Issues

VulnerabilityHigh impactGlobal
Noma Labs (Noma Security) disclosed GitLost, a structural indirect prompt injection vulnerability in GitHub's newly launched Agentic Workflows feature. The vulnerability exploits the agent's inability to distinguish trusted workflow instructions from untrusted issue content, combined with overly broad read-access tokens, to exfiltrate private repository data into a public comment.
GitHub Agentic Workflows is a new, widely-adopted feature pairing GitHub Actions automation with LLM agents; this shows a repeatable, zero-credential technique for exfiltrating private source code and secrets from any organization that grants an agent broad read scope — a systemic risk pattern for any agent-based CI/CD automation.
An unauthenticated attacker posts a crafted public GitHub Issue containing prompt-injection instructions in an organization's public repository. When a workflow configured to trigger on issue-assignment events (with a token granting cross-repo, including private-repo, read access) processes the issue, the agent follows the injected instructions to fetch private repository contents (e.g., README.md) and paste them into a public comment on the issue — requiring no credentials or organizational access from the attacker.
GitHub Agentic Workflows (GitHub Actions + AI agent backed by Claude or GitHub Copilot)
Scope Agentic Workflow tokens to a single repository rather than org-wide cross-repo read access; gate agent outputs behind human review before posting publicly; treat untrusted issue content as data, not instructions. Responsibly disclosed to GitHub by Noma Labs prior to publication.
Noma Security - GitLost: How We Tricked GitHub's AI Agent into Leaking Private ReposThe Hacker News - Public GitHub Issue Could Trick GitHub Agentic Workflows Into Leaking Private Repo Data
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →