GitHub discovered a vulnerability in its Agentic Workflows feature that allows unauthenticated attackers to extract private repository data through crafted GitHub Issues in public repositories. The flaw, dubbed "GitLost," enables threat actors to bypass authentication controls and access sensitive information stored in private repos without detection.

The attack exploits how GitHub's Agentic Workflows process issues created in public repositories. An attacker creates a specially crafted issue that tricks the workflow system into executing commands with elevated permissions. This allows the attacker to enumerate and exfiltrate data from private repositories within the same organization, including source code, configuration files, and credentials.

The vulnerability affects organizations using GitHub's Agentic Workflows feature for automation. Since the attack requires only the ability to create a public issue, any GitHub user can exploit it. The silent nature of the exfiltration means organizations may remain unaware of compromised data until discovery during forensic investigation.

GitHub has not assigned a CVE identifier yet. The company recommends organizations using Agentic Workflows restrict who can create issues in public repositories and audit workflow permissions immediately. Organizations should review access logs for suspicious workflow executions and rotate any credentials that may have been exposed.

The vulnerability underscores risks associated with automation features that bridge public and private environments. Organizations deploying AI-driven or automated workflow tools must carefully scrutinize permission boundaries and implement least-privilege principles. Restricting cross-repository access, enabling detailed logging, and regular audits of workflow behavior provide essential defenses against similar flaws.

GitHub users should update their workflow configurations to enforce stricter input validation and disable automatic workflow triggers on untrusted input sources until patched.