CVE-2026-32947

| EUVD-2026-13539 MEDIUM
2026-03-17 https://github.com/step-security/harden-runner
4.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 17, 2026 - 20:30 euvd
EUVD-2026-13539
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
CVE Published
Mar 17, 2026 - 18:38 nvd
MEDIUM 4.9

Tags

RCE Google

Description

## Summary A vulnerability exists in the Community Tier of Harden-Runner that allows bypassing the `egress-policy: block` network restriction using DNS over HTTPS (DoH). Harden-Runner secures GitHub Actions workflows on runners by applying network policies, including an `allowed-endpoints` configuration that limits outbound traffic to specified domains and ports (e.g., `github.com:443`). In `egress-policy: block` mode, non-compliant connections are intercepted and denied. This vulnerability exploits DoH, a protocol that encapsulates DNS queries within HTTPS requests. By crafting a DNS query that embeds exfiltrated data as a subdomain (e.g., encoding the runner's hostname into a label), an attacker can route the request through a permitted HTTPS endpoint like `dns.google` (`8.8.8.8`'s DoH service). The resolver processes the query and forwards it to the attacker's controlled domain, achieving exfiltration without directly accessing the blocked destination. This evades Harden-Runner's domain-based filtering, as the initial HTTPS connection appears legitimate. This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow. The Enterprise Tier of Harden-Runner is **not affected** by this vulnerability. ## Impact When Harden-Runner is configured with `egress-policy: block` and a restrictive `allowed-endpoints` list, an attacker with existing code execution capabilities within a GitHub Actions workflow can bypass the allowed domains check via DNS over HTTPS by proxying DNS queries through a permitted resolver (e.g., Google's DoH service). This allows data exfiltration even when `allowed-endpoints` is set to only whitelisted domains. This vulnerability affects only the Community Tier. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow. ## Remediation ### For Community Tier Users Upgrade to Harden-Runner v2.16.0 or later. ### For Enterprise Tier Users No action required. Enterprise tier customers are not affected by this vulnerability. ## Credit We would like to thank [Devansh Batham](https://github.com/devanshbatham) for responsibly disclosing this vulnerability through our security reporting process.

Analysis

A security vulnerability in A vulnerability exists in the Community Tier of Harden-Runner that (CVSS 4.9). Remediation should follow standard vulnerability management procedures.

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

25
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +24
POC: 0

Share

CVE-2026-32947 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy