This behavior was confirmed and validated across multiple major developer ecosystems. Let's look at the Microsoft Sentinel repository, which publishes SIEM detection rules and automated playbooks directly to customer workspaces via the Azure Marketplace. Novee's team discovered that an attacker could trigger code execution on Microsoft's CI runner by posting a simple comment on a pull request. The runner executed the script, accessed the repository secrets, and stole a non-expiring GitHub App key. With that key, an attacker could silently push updates to the Sentinel Content Hub, modifying security rules for thousands of enterprise customers.
In the case of Google's AI Agent Development Kit repository (adk-samples), the flaw was even more direct. A pull request sent by any outsider was executed within a runner that held a high-privilege Google Cloud role (specifically, roles/owner). By exploiting a workflow injection, an attacker could execute code inside the runner, request credentials from the local metadata service, and take full, permanent control of the Google Cloud project associated with the repository. Google confirmed the impact and resolved it.
Apache Doris, an enterprise analytics database used by tens of thousands of companies, fell victim to two zero-click attack paths. Under Path 1, a simple PR comment could be used to extract hardcoded credentials from the build runners. Under Path 2, a fork pull request allowed the runner to hijack a token with full write permissions across the Apache Doris code repository, packages, and pages. Attackers could have manipulated DB binary releases directly.
Cloudflare's Workers SDK workflow was similarly vulnerable to a branch name injection, letting developers execute arbitrary commands on active runners by targeting the Wrangler CLI toolchain. While Cloudflare did not expose production secrets, they had to harden their workflows to block potential runner compromise.
Even foundational tools like Python's code formatter, Black, were vulnerable. The Python Software Foundation disclosed CVE-2026-31900, a high-severity flaw in the Black GitHub Action. The action parsed the use_pyproject flag insecurely. A malicious PR could overwrite the local pyproject.toml file with a direct URL injection, forcing the runner to fetch and execute remote code (RCE). A stolen token from this runner could let an attacker impersonate the project's publishing bot, modify repository main branches, and eventually target the Black container images pulled 130 million times a month. See our article on Securing Agentic AI Requires Guardian Agents and Human Oversight for related agent safety concerns.
