A new class of prompt injection vulnerabilities, dubbed “PromptPwnd,” has been uncovered by cybersecurity firm Aikido Security.
The flaws affect GitHub Actions and GitLab CI/CD pipelines that are integrated with AI agents, including Google’s Gemini CLI, Claude Code, and OpenAI Codex. The vulnerability has been confirmed to impact at least five Fortune 500 companies, with evidence suggesting the issue is widespread.
Aikido Security, which first identified and disclosed this vulnerability pattern, has open-sourced Opengrep rules to help security vendors detect the flaw.
The vulnerability pattern involves untrusted user input being injected into AI prompts, allowing the AI agent to execute privileged commands, which can lead to the leakage of secrets or manipulation of workflows. This marks the first confirmed real-world demonstration of AI prompt injection successfully compromising CI/CD pipelines.
Prompt Injection Flaw in GitHub Actions
The attack leverages the increasing integration of AI into software development workflows for tasks like automatic issue triage and pull request labeling.
The vulnerability arises when untrusted content from sources like GitHub issue titles or bodies is directly fed into AI prompts. An attacker can embed malicious instructions within this content.
The AI model then misinterprets these instructions as commands, not data, and uses its integrated tools to perform unauthorized actions. This can include editing pull requests or, in more severe cases, exfiltrating sensitive credentials and API keys.
A prime example of this vulnerability was found in Google’s own Gemini CLI repository. The workflow passed untrusted user input from GitHub issues directly into the model prompt.
Aikido Security created a proof-of-concept by submitting a malicious issue with hidden instructions. The AI agent interpreted these instructions and executed a command to edit the issue, embedding sensitive API keys and tokens directly into the issue body, thereby exposing them. Following Aikido’s responsible disclosure, Google patched the vulnerability within 4 days.
This vulnerability is not isolated to a single AI agent. Researchers found that similar architectural patterns exist across many AI-powered GitHub Actions, including Claude Code Actions and OpenAI Codex Actions, especially when security settings are misconfigured to allow non-privileged users to trigger workflows.
To address the “PromptPwnd” vulnerability, Aikido Security recommends several remediation steps. Organizations should restrict the toolset available to AI agents, avoiding tools that can write to issues or pull requests.
It is also crucial to avoid injecting untrusted user input into AI prompts, or to sanitize and thoroughly validate it if unavoidable. Furthermore, all output generated by AI should be treated as untrusted code and not executed without validation.
Limiting the access of GitHub tokens by IP address can also help restrict the potential damage from leaked credentials. Aikido offers a free tool to scan GitHub and GitLab repositories for this vulnerability, and developers can also use open-source tools to check their .yml files.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
