Bug 2449437 (CVE-2026-32947)
| Summary: | CVE-2026-32947 harden-runner: Harden-Runner: Data exfiltration via DNS over HTTPS (DoH) bypass | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alcohan, cmyers, dnakabaa, gparvin, jbalunas, kaycoth, lcouzens, pahickey, rhaigner |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Harden-Runner. A remote attacker with existing code execution within a GitHub Actions workflow could exploit a DNS over HTTPS (DoH) vulnerability to bypass network restrictions. This allows for the exfiltration of sensitive data by encoding it within DoH queries, which appear as legitimate HTTPS traffic, effectively bypassing egress policies.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-03-20 05:02:11 UTC
|