Researchers at Noma Security discovered a supply-chain vulnerability in GitHub Agentic Workflows that allows attackers to extract private repository contents without credentials or organizational access.
The attack exploits how GitHub's agentic systems process public repository issues. An attacker opens a seemingly innocent issue on any public repository. If the target organization runs GitHub Agentic Workflows with read permissions across its repositories, the agent automatically processes the issue and can be manipulated into fetching and exposing data from private repositories belonging to that organization.
The vulnerability requires no stolen credentials, no account compromise, and no direct access to organizational systems. The attacker only needs to craft a malicious issue that tricks the workflow agent into performing unintended actions. This represents a critical privilege escalation flaw where public repository access translates into unauthorized private data exposure.
Organizations using GitHub Agentic Workflows face immediate risk if they have granted agents broad repository permissions. Private codebases, configuration files, API keys, and other sensitive materials stored in restricted repositories become accessible to any attacker willing to open a public issue on any repository their organization interacts with.
The attack vector operates at the intersection of automation and access control. GitHub Agentic Workflows are designed to autonomously handle repository tasks, but this automation becomes dangerous when workflows lack proper input validation and context awareness. Public issues represent untrusted input, yet the agent processes them with organizational-level permissions.
Noma Security's disclosure highlights a broader pattern in automated systems. As organizations delegate more tasks to agents and automation frameworks, the potential for permission abuse grows. Agents often operate with broader permissions than individual users need, creating blast radius problems when exploitation occurs.
GitHub users running agentic workflows should immediately audit their workflow permissions. Organizations should restrict agent access to only necessary repositories and implement additional validation layers for external inputs. The vulnerability demonstrates that automation convenience carries security costs that organizations must actively
