All incidents

GitHub AI workflow flaw exposes private repository data via Issues

vulnerabilityopenJul 7, 2026 — Jul 8, 2026
GitHub AI Agent Flaw Lets Hackers Steal Private Code via Issues

RESEARCHERS at Noma Labs have disclosed a flaw nicknamed GitLost that allows unauthenticated attackers to extract private repository data from GitHub by posting a malicious issue in a public project (see details).

The vulnerability resides in GitHub’s Agentic Workflows (as reported), where the built‑in AI agent interprets natural language commands and can be tricked through prompt injection into executing unintended actions.

No CVE identifier has been assigned yet, but the researchers rate the issue as critical because it requires no authentication or special privileges and leaks source code, configuration files or secrets stored in private repositories.

So far there is no evidence of the flaw being exploited in the wild and no threat actor has been linked to the technique, although the proof‑of‑concept shows that a simple issue comment can trigger the data leak.

Organisations using GitHub’s AI agent should treat all user‑generated content as untrusted, enforce the principle of least privilege for the agent’s access tokens and review workflows that allow the agent to read private data based on issue input.

Security teams are advised to audit existing Agentic Workflows, disable the ability for the agent to fetch private repository data in response to public issue events until a patch is released, and monitor issue logs for unusual patterns that could indicate attempted prompt injection.

Intelligence briefing updated Jul 8, 2026

Root sourcenoma.security
Timeline Coverage

Swipe to explore timeline