Skip to main content

Google CVE-2026-32947

| EUVDEUVD-2026-13539 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-03-17 https://github.com/step-security/harden-runner
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Red Hat
4.9 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 17, 2026 - 20:30 euvd
EUVD-2026-13539
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
CVE Published
Mar 17, 2026 - 18:38 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

Summary

A vulnerability exists in the Community Tier of Harden-Runner that allows bypassing the egress-policy: block network restriction using DNS over HTTPS (DoH).

Harden-Runner secures GitHub Actions workflows on runners by applying network policies, including an allowed-endpoints configuration that limits outbound traffic to specified domains and ports (e.g., github.com:443). In egress-policy: block mode, non-compliant connections are intercepted and denied.

This vulnerability exploits DoH, a protocol that encapsulates DNS queries within HTTPS requests. By crafting a DNS query that embeds exfiltrated data as a subdomain (e.g., encoding the runner's hostname into a label), an attacker can route the request through a permitted HTTPS endpoint like dns.google (8.8.8.8's DoH service). The resolver processes the query and forwards it to the attacker's controlled domain, achieving exfiltration without directly accessing the blocked destination. This evades Harden-Runner's domain-based filtering, as the initial HTTPS connection appears legitimate.

This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow.

The Enterprise Tier of Harden-Runner is not affected by this vulnerability.

Impact

When Harden-Runner is configured with egress-policy: block and a restrictive allowed-endpoints list, an attacker with existing code execution capabilities within a GitHub Actions workflow can bypass the allowed domains check via DNS over HTTPS by proxying DNS queries through a permitted resolver (e.g., Google's DoH service). This allows data exfiltration even when allowed-endpoints is set to only whitelisted domains.

This vulnerability affects only the Community Tier. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow.

Remediation

For Community Tier Users

Upgrade to Harden-Runner v2.16.0 or later.

For Enterprise Tier Users

No action required. Enterprise tier customers are not affected by this vulnerability.

Credit

We would like to thank Devansh Batham for responsibly disclosing this vulnerability through our security reporting process.

AnalysisAI

A security vulnerability in A vulnerability exists in the Community Tier of Harden-Runner that (CVSS 4.9). Remediation should follow standard vulnerability management procedures.

Technical ContextAI

CWE-693 (Protection Mechanism Failure). Affects A vulnerability exists in the Community Tier of Harden-Runner that.

RemediationAI

Monitor vendor channels for patch availability.

Vendor StatusVendor

Share

CVE-2026-32947 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy