GitHub Actions RCE

GitHub Actions is GitHub’s automation system: a repository event like a push, pull request, or issue can start a script on a hosted runner. In Microsoft’s public Windows-driver-samples repository, Tenable found a workflow where opening an issue could be turned into remote code execution on that runner. (tenable.com) Tenable published the advisory on April 21, 2026 and scored the flaw 9.3 on the Common Vulnerability Scoring System version 4 scale. The affected repository had about 7,700 stars and 5,000 forks when the issue was disclosed. (tenable.com) (github.com) The bug sat in a GitHub Actions workflow file called `tag-codeowner-on-issue.yml`, which ran when a user opened an issue. That workflow copied the issue body straight into a Python script block without sanitizing it first. (tenable.com) In plain terms, the issue form was treated like data but executed like code. Tenable said an attacker could place triple quotes in the issue text, break out of the Python string, and run arbitrary Python on the GitHub runner. (tenable.com) GitHub has warned for years that fields like `github.event.issue.body` and `github.event.issue.title` are attacker-controlled input. GitHub Security Lab said developers should treat those fields as untrusted and keep them away from places where text can be interpreted as code. (securitylab.github.com) The immediate risk was the workflow token that GitHub injects into jobs. GitHub’s own documentation says actions can access `github.token` even if a workflow does not explicitly pass `secrets.GITHUB_TOKEN`, and recommends granting that token only the minimum permissions required. (docs.github.com) That matters because older defaults were broader. GitHub changed the default `GITHUB_TOKEN` setting to read-only for new repositories and organizations in February 2023, but said the change would not affect existing repositories, which previously received read/write access by default. (github.blog) SC Media reported Microsoft did not confirm the exact token permissions in this case, but Tenable said the token could at minimum have been used to create issues as Microsoft. Tenable also said exploitation was “trivial” because any free GitHub account could submit the malicious issue. (scworld.com) The disclosure timeline ran from February 24, 2026, when Tenable reported the bug, to March 30, 2026, when Microsoft confirmed it had been fixed. Tenable’s advisory points to Microsoft pull request #1355 as the patch for the vulnerable workflow. (tenable.com) The episode did not require a stolen maintainer account, a poisoned package, or a merged pull request. It started with a public issue form and ended with code running inside a trusted build system. (tenable.com) (securitylab.github.com)