Security: Agentic Workflow Injection in issue summary workflow via untrusted issue content

[xinyi-hou]

Summary

The affected issue-summary workflow runs automatically on public issues.opened events, sends attacker-controlled issue title and body content to actions/ai-inference, and then posts the model output back to the same issue using an authenticated repository token.

This creates an externally reachable AI-driven write path where an issue author may be able to influence automated issue comments.

Details

• trigger: issues.opened
• permissions: issues: write, models: read, contents: read
• model input includes ${{ github.event.issue.title }} and ${{ github.event.issue.body }}
• sink posts steps.inference.outputs.response with gh issue comment

The workflow is automatically reachable by anyone who can open an issue. Untrusted issue text is embedded directly into the LLM prompt and the resulting output is published as a repository comment without deterministic validation.

PoC

1. Open a new issue.
2. Put instruction-like content in the title or body asking the model to emit a chosen summary.
3. Wait for the workflow to run automatically.
4. Check whether the workflow posts an attacker-influenced summary comment.

Impact

An external issue author may be able to influence automated issue comments, producing misleading summaries or noisy maintainer-facing output under the repository's write-capable automation identity.

Suggested Remediation

• Treat issue title/body as untrusted data rather than operative instructions.
• Avoid posting raw model output directly as an issue comment.
• Restrict this workflow to trusted actors or add human review before publishing AI output.

Credit

Reported by Security PRIDE Research Group @security-pride

[github-actions]

A security vulnerability has been identified in the issue-summary workflow of a public repository, where untrusted issue content (title and body) is sent to an AI model (actions/ai-inference) triggered by issues.opened events. The workflow posts the model's output back to the same issue using an authenticated repository token, effectively creating a write path that attackers can exploit by crafting issue text to manipulate the AI-generated comments. This could lead to misleading summaries or unauthorized modifications published under the repository's automation identity. To mitigate, it is suggested to treat issue content as untrusted, avoid posting raw AI output directly, and implement access restrictions or human review before publishing. The issue was reported by the Security PRIDE Research Group.

[flow-pie]

Summary

The affected issue-summary workflow runs automatically on public issues.opened events, sends attacker-controlled issue title and body content to actions/ai-inference, and then posts the model output back to the same issue using an authenticated repository token.

This creates an externally reachable AI-driven write path where an issue author may be able to influence automated issue comments.

Details

• trigger: issues.opened
• permissions: issues: write, models: read, contents: read
• model input includes ${{ github.event.issue.title }} and ${{ github.event.issue.body }}
• sink posts steps.inference.outputs.response with gh issue comment

The workflow is automatically reachable by anyone who can open an issue. Untrusted issue text is embedded directly into the LLM prompt and the resulting output is published as a repository comment without deterministic validation.

PoC

1. Open a new issue.
2. Put instruction-like content in the title or body asking the model to emit a chosen summary.
3. Wait for the workflow to run automatically.
4. Check whether the workflow posts an attacker-influenced summary comment.

Impact

An external issue author may be able to influence automated issue comments, producing misleading summaries or noisy maintainer-facing output under the repository's write-capable automation identity.

Suggested Remediation

• Treat issue title/body as untrusted data rather than operative instructions.
• Avoid posting raw model output directly as an issue comment.
• Restrict this workflow to trusted actors or add human review before publishing AI output.

Credit

Reported by Security PRIDE Research Group @security-pride

Thanks for reporting this security issue @security-pride and @xinyi-hou .

I've disabled the vulnerable issue-summary workflow while we work on a proper fix:

• The workflow will no longer work on new issues

The next steps will be to:

• Review prompt injection mitigations
• Add input sanitization / output validation
• Restrict workflow to trusted users or add approval gate
• Re-enable only after security review

[xinyi-hou]

Thanks again for the fix! Since this issue involved a security vulnerability, would it be possible to also publish a security advisory and request a CVE ID, if appropriate 😀
https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/publishing-a-repository-security-advisory
This would be very helpful for our academic research.