CVE-2026-32946

Name of the Vulnerable Software and Affected Versions Harden-Runner versions 2.15.1 and below

Description Harden-Runner, a CI/CD security agent functioning as an EDR for GitHub Actions runners, has an issue where the egress-policy: block network restriction can be bypassed using DNS queries over TCP. When egress-policy: block is enabled with a restrictive allowed-endpoints list, non-compliant traffic should be denied. However, DNS queries over TCP are not adequately restricted, allowing tools like dig to initiate TCP-based DNS queries without being blocked. This requires an attacker to already have code execution capabilities within the GitHub Actions workflow. The Enterprise Tier of Harden-Runner is not affected.

Recommendations Upgrade to Harden-Runner version 2.16.0 or later.