GitLost Flaw Exposes Private Data in GitHub's AI Workflows

GitLost Flaw Exposes Private Data in GitHub's AI Workflows

First seen 7 Jul 2026, 18:24 UTC ThehackernewsCybersecuritynewsDarkreadingTheregisterGround.News+4 90% similarity 66.0

Article Content

Browse articles
ThreatCluster

A critical vulnerability named 'GitLost' has been disclosed, allowing unauthenticated attackers to exploit GitHub's Agentic Workflows. By crafting a GitHub Issue in a public repository, attackers can trick the AI agent into pulling data from private repositories without requiring any credentials or coding skills. The flaw, identified by Noma Security, highlights significant security risks associated with AI-powered automation in GitHub Actions. The vulnerability can lead to the public exposure of sensitive information, affecting organizations that utilize these workflows. Despite the severity of the issue, GitHub has not yet implemented any documentation or fixes to mitigate the risk. Researchers have demonstrated the exploit through a proof-of-concept attack, emphasizing the need for organizations to reassess their security configurations. As of now, the vulnerability remains unpatched, posing a continuing threat to affected systems.

Key Points: • The 'GitLost' vulnerability allows attackers to leak private repository data via public GitHub Issues. • No coding skills or credentials are required to exploit this flaw, making it accessible to a wide range of attackers. • GitHub has not yet implemented any fixes or documentation to address the vulnerability.

ThreatCluster AI

Timeline

2026-07-07
GitLost vulnerability disclosed
Noma Security revealed a critical prompt injection flaw in GitHub's Agentic Workflows that allows data leakage from private repositories.
Darkreading
2026-07-07
Proof-of-concept attack demonstrated
Researchers showcased how a crafted GitHub Issue could lead to the exposure of private data, confirming the vulnerability's exploitability.
Theregister
2026-07-07
GitHub's response awaited
As of the disclosure date, GitHub has not provided any documentation or fixes related to the GitLost vulnerability, leaving organizations at risk.
The Register

Community

Browse all →