CVE-2026-25598

Name of the Vulnerable Software and Affected Versions Harden-Runner versions prior to 2.14.2

Description Harden-Runner is a CI/CD security agent designed to function like an EDR for GitHub Actions runners. A security issue has been identified in the Community Tier of Harden-Runner that allows outbound network connections to bypass audit logging. Specifically, outbound traffic utilizing the sendto, sendmsg, and sendmmsg socket system calls can evade detection and logging when the egress-policy is set to 'audit'. This bypass requires an attacker to already have code execution capabilities within the GitHub Actions workflow. The issue does not affect the Enterprise Tier. The vulnerability stems from incomplete monitoring coverage of certain socket-related system calls, allowing attackers to establish covert communication channels using UDP traffic without generating audit events.

Recommendations Upgrade to Harden-Runner version 2.14.2 or later.