Critical GitHub Vulnerability Allows Prompt Injection in Agentic Workflows
A newly identified vulnerability in GitHub’s Agentic Workflows framework allows unauthorized individuals to extract sensitive data from private repositories through indirect prompt injection attacks, according to security researchers.
The GitLost Vulnerability
The flaw, designated GitLost, exploits the way AI-driven workflows process user-generated content within public repositories, creating a pathway for malicious actors to bypass access controls. GitHub Agentic Workflows is a feature that enables users to define automation tasks using natural language prompts stored in markdown files. These prompts are interpreted by an AI agent to execute GitHub Actions, streamlining interactions with code repositories. However, the vulnerability arises from the system’s ability to process untrusted input. Attackers can exploit this by submitting maliciously crafted GitHub Issues in public repositories, which the AI agent then interprets as actionable instructions.
How the Exploit Works
The security firm Noma Labs discovered that workflows configured to trigger on issue assignments can access both public and private repositories linked to the same organization. By embedding deceptive prompts within seemingly legitimate requests—such as a fabricated message from a sales team—attackers can compel the AI agent to retrieve and disclose files like Readme.md from private repositories. The extracted data is then published as a public comment, effectively exposing confidential information. The exploit requires no technical expertise, credentials, or direct access to the target organization’s private repositories. Instead, attackers only need to create a GitHub Issue in a public repository that is part of an organization utilizing Agentic Workflows. Once the workflow is triggered, the AI agent processes the malicious input, leading to unauthorized data exfiltration.
Discovery by Noma Labs
Noma Labs highlighted that this vulnerability underscores a broader security risk in agentic AI systems, where the agent’s context window—its ability to process and act on input—becomes a critical attack surface. The firm compared indirect prompt injections to SQL injection attacks in web applications, emphasizing the need for systematic mitigation strategies. The researchers noted that GitHub’s existing safeguards, such as input validation and access controls, were insufficient to prevent this specific attack vector. They advised organizations to treat all user-generated content as untrusted, limit agent permissions to the minimum necessary, and implement strict input sanitization protocols. Additionally, they recommended restricting the ability of AI agents to publish content publicly and monitoring workflows for anomalous behavior.
Broader Security Concerns
The vulnerability has prompted renewed scrutiny of agentic AI systems, particularly as their adoption grows in enterprise environments. Security experts warn that similar flaws could emerge in other platforms leveraging AI-driven automation, necessitating proactive security measures. Organizations using GitHub Agentic Workflows are urged to review their workflow configurations, enforce stricter access policies, and stay informed about updates from the platform. The incident also highlights the importance of continuous security assessments for AI-powered tools, ensuring that automation does not introduce new risks to data integrity and confidentiality.
Conclusion
Organizations using GitHub Agentic Workflows are urged to review their workflow configurations, enforce stricter access policies, and stay informed about updates from the platform. The incident also highlights the importance of continuous security assessments for AI-powered tools, ensuring that automation does not introduce new risks to data integrity and confidentiality.
