{"id":3892,"date":"2026-04-21T17:23:31","date_gmt":"2026-04-21T17:23:31","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/04\/21\/critical-microsoft-github-flaw-highlights-dangers-to-ci-cd-pipelines-tenable\/"},"modified":"2026-04-21T17:23:31","modified_gmt":"2026-04-21T17:23:31","slug":"critical-microsoft-github-flaw-highlights-dangers-to-ci-cd-pipelines-tenable","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/04\/21\/critical-microsoft-github-flaw-highlights-dangers-to-ci-cd-pipelines-tenable\/","title":{"rendered":"Critical Microsoft GitHub Flaw Highlights Dangers to CI\/CD Pipelines: Tenable"},"content":{"rendered":"
\"DevsecOps<\/div>\n

\"DevsecOps<\/p>\n

A critical vulnerability in a popular Microsoft GitHub repository could allow a threat actor to easily exploit its CI\/CD infrastructure to run arbitrary code in the repository and gain access to secrets, according to researchers with cybersecurity firm Tenable.<\/p>\n

In an advisory<\/a> issued April 21, R\u00e9my Marot, staff research engineer at Tenable, wrote that \u201cby exploiting this vulnerability, an attacker with an unprivileged GitHub account could exfiltrate secrets available to the workflow run and perform unauthorized operations on the target GitHub repository.\u201d<\/p>\n

The security flaw can be easily exploited, and illustrates the growing security risks as CI\/CD pipelines play an increasingly central role in the software development field, according to Marot.<\/p>\n

He found that the Microsoft GitHub repository<\/a> was using a vulnerable GitHub workflow that allowed any GitHub user to set off remote code execution (RCE) in the GitHub runner. Through this, the bad actor could gain access to a token that let them run unauthorized actions on the repository and compromise the software supply chain.<\/p>\n

Tenable described the repository as a \u201csignificant point of interaction for developers,\u201d noting that it had been forked 5,000 times and has more than 7,700 stars. Because the source code for the repository was public, anyone with a registered GitHub account could easily exploit it.<\/p>\n

\u2018Trivial\u2019 Exploitation<\/h3>\n

Exploitation of the flaw was \u201ctrivial,\u201d Marot wrote. All it took was for an attacker to open a GitHub issue \u2013 a built-in collaboration tool used by developers to document tasks, report bugs, or propose new features \u2013 which is open to any registered user, according to Tenable.<\/p>\n

From there, the hacker could inject malicious Python code into the issue description, with the GitHub workflow automatically starting up when the issue was created. Doing so executed the attacker\u2019s code within the GitHub runner, which runs the job in GitHub Actions workflow, essentially becoming the engine for the CI\/CD pipeline.<\/p>\n

The exploit allowed the threat actor to exfiltrate the GITHUB_TOKEN and other secrets on the repository. Depending on the permissions in the GITHUB_TOKEN, it could allow privileged operations on the repository, Marot said.<\/p>\n

Tenable is giving the vulnerability a CVSSv4 severity score of 9.3 out of 10. Microsoft patched the vulnerable workflow via a pull request<\/a>.<\/p>\n

Rising CI\/CD Threats<\/h3>\n

The vulnerability illustrates why developers need to view their CI\/CD pipelines as critical pipelines and secure them accordingly, he said.<\/p>\n

\u201cThe CI\/CD infrastructure is part of an organization\u2019s attack surface and software supply chain, requiring strict security controls to protect source code and build integrity,\u201d Marot wrote in a FAQ accompanying the Tenable report. \u201cWithout strong safeguards, a vulnerability in a pipeline can be exploited to trigger large-scale supply chain attacks and have critical impacts on downstream systems and users.\u201d<\/p>\n

Security vendors for several years have been warning about the increasing focus that bad actors are putting on CI\/CD infrastructure. The OWASP Foundation has listed the top 10 CI\/CD security risks<\/a>, ranging from insufficient flow control mechanisms and dependency chain abuse to insufficient credential hygiene and insecure system configuration.<\/p>\n

\u201cCI\/CD environments, processes, and systems are the beating heart of any modern software organization,\u201d the organization wrote. \u201cThey deliver code from an engineer\u2019s workstation to production. Combined with the rise of the DevOps discipline and microservice architectures, CI\/CD systems and processes have reshaped the engineering ecosystem.\u201d<\/p>\n

Expanding the Attack Surface<\/h3>\n

At the same time, they also have expanded the attack surface, creating new pathways for attackers.<\/p>\n

\u201cAdversaries of all levels of sophistication are shifting their attention to CI\/CD, realizing CI\/CD services provide an efficient path to reaching an organization\u2019s crown jewels,\u201d OWASP wrote. \u201cThe industry is witnessing a significant rise in the amount, frequency and magnitude of incidents and attack vectors focusing on abusing flaws in the CI\/CD ecosystem.\u201d<\/p>\n

Trivy Attack a Recent Example<\/h3>\n

Cybersecurity consultancy IANS Research pointed to the recent supply chain attack that compromised\u00a0Aqua Security\u2019s Trivy<\/a>\u00a0open source security vulnerability scanner and associated GitHub Actions as an example of the growing focus<\/a> of threat actors on software development processes, noting that it \u201chas triggered a cascading compromise across CI\/CD environments.\u201d<\/p>\n

\u201cThreat actors are leveling up their supply chain attacks,\u201d IANS researchers wrote in a blog post<\/a> last month. \u201cBy combining a trusted security tool compromise with worm-like propagation and token hijacking, attackers turned\u00a0trusted CI\/CD workflows\u00a0and package ecosystems into an easy channel for distributing malware.\u201d<\/p>\n

Tenable recommended that development teams implement \u201crigorous security measures\u201d to protect source code, build integrity into automated workflows, and update and restrict GITHUB_TOKEN permissions. In addition, they need to regularly audit automated workflows to ensure there are no injection vulnerabilities that can be exploited by external user input.<\/p>\n

Read More<\/a><\/p>\n

\u200b<\/p>","protected":false},"excerpt":{"rendered":"

A critical vulnerability in a popular Microsoft GitHub repository could allow a threat actor to easily exploit its CI\/CD infrastructure […]<\/p>\n","protected":false},"author":1,"featured_media":3893,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-3892","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/3892","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=3892"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/3892\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/3893"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=3892"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=3892"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=3892"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}