GitLost Vulnerability Exposes Private GitHub Repos via AI-Powered Workflows
Security researchers at Noma Labs have uncovered a critical vulnerability, dubbed GitLost, that allows attackers to exploit GitHub’s AI-powered Agentic Workflows to leak private repository contents without requiring credentials, coding skills, or direct system access.
GitHub’s Agentic Workflows combine GitHub Actions with AI agents (powered by Claude or GitHub Copilot), enabling automation via plain Markdown that compiles into YAML. These agents can read issues, execute tools, post comments, and access repositories across an organization based on configured permissions all without human oversight.
The flaw stems from an indirect prompt-injection attack. The vulnerable workflow, identified by Noma Labs, was set to trigger on issues.assigned events, reading the issue’s title and body before responding via a comment tool. Crucially, it operated with read access to both public and private repositories.
Because the AI agent failed to distinguish between trusted system instructions and untrusted user input, attackers could embed malicious commands in an issue’s body. Noma Labs demonstrated this by crafting a seemingly innocuous issue posing as a "VP of Sales" request containing hidden directives. Once assigned, the workflow retrieved and publicly posted contents from both a public (poc) and a private (testlocal) repository.
A key bypass involved the word "Additionally", which reframed the AI’s output without triggering refusal mechanisms, evading GitHub’s existing guardrails. The leaked data included README files from multiple repositories, exposing sensitive information from private sources.
The GitLost vulnerability highlights a fundamental risk in AI-driven systems: their context window the data they process becomes an attack surface. Unlike traditional software, where trust boundaries are enforced in code, agentic AI systems rely on model behavior, making them inherently vulnerable to prompt injection. Researchers liken this threat to SQL injection in web security a systemic flaw requiring equally systemic defenses.
GitHub was notified of the issue through responsible disclosure. The incident underscores the need for stricter input sanitization, minimal permission scoping, and restrictions on public agent responses to mitigate similar risks.
Source: https://cybersecuritynews.com/gitlost-vulnerability-github/
GitHub TPRM report: https://www.rankiteo.com/company/github
"id": "git1783441439",
"linkid": "github",
"type": "Vulnerability",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Organizations using GitHub '
'Agentic Workflows with private '
'repositories',
'industry': 'Software Development, Cloud Services',
'name': 'GitHub',
'type': 'Technology Platform'}],
'attack_vector': 'Indirect Prompt-Injection',
'data_breach': {'data_exfiltration': 'Yes (publicly posted via AI agent)',
'file_types_exposed': ['README files'],
'sensitivity_of_data': 'High (private repository data)',
'type_of_data_compromised': 'Private repository contents '
'(README files, sensitive '
'information)'},
'description': 'Security researchers at Noma Labs uncovered a critical '
'vulnerability, dubbed *GitLost*, that allows attackers to '
'exploit GitHub’s AI-powered *Agentic Workflows* to leak '
'private repository contents without requiring credentials, '
'coding skills, or direct system access. The flaw stems from '
'an indirect prompt-injection attack, where malicious commands '
'embedded in an issue’s body could trick the AI agent into '
'retrieving and publicly posting private repository data.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'GitHub and affected organizations',
'data_compromised': 'Private repository contents (README files, '
'sensitive information)',
'operational_impact': 'Unauthorized data exposure, potential '
'reputational damage',
'systems_affected': 'GitHub Agentic Workflows, private '
'repositories'},
'investigation_status': 'Disclosed via responsible disclosure; remediation in '
'progress',
'lessons_learned': "AI-driven systems' context windows are vulnerable to "
'prompt-injection attacks, requiring systemic defenses '
'similar to SQL injection. Stricter input sanitization, '
'minimal permission scoping, and restrictions on public '
'agent responses are critical.',
'post_incident_analysis': {'corrective_actions': 'Input sanitization, '
'permission scoping, and '
'response restrictions for '
'AI agents',
'root_causes': 'Failure of AI agent to distinguish '
'between trusted system '
'instructions and untrusted user '
'input, leading to indirect '
'prompt-injection vulnerability'},
'recommendations': ['Implement stricter input sanitization for AI agents',
'Enforce minimal permission scoping for automated '
'workflows',
'Restrict public responses from AI agents handling '
'sensitive data',
'Enhance guardrails to detect and block indirect '
'prompt-injection attempts'],
'references': [{'source': 'Noma Labs'}],
'response': {'remediation_measures': 'GitHub notified via responsible '
'disclosure; recommended input '
'sanitization, minimal permission '
'scoping, and restrictions on public '
'agent responses'},
'title': 'GitLost Vulnerability Exposes Private GitHub Repos via AI-Powered '
'Workflows',
'type': 'Data Leak',
'vulnerability_exploited': 'GitHub Agentic Workflows (AI-powered automation)'}