Noma Security Finds GitLost Vulnerability Leaking GitHub Private Data
Noma Security discovered a prompt injection vulnerability in GitHub Agentic Workflows that allows attackers to leak private repository content via public issues.
Researchers from Noma Security discovered a critical prompt injection vulnerability, named GitLost, within GitHub's preview Agentic Workflows. The flaw enables unauthenticated attackers to leak sensitive data from private repositories by posting specially crafted GitHub Issues in a public repository belonging to the same organization. By embedding malicious instructions in plain English—specifically using the keyword "Additionally" to bypass guardrails—attackers can trick the AI agent into fetching private content and posting it as a public comment.
Noma Security demonstrated the exploit by successfully pulling a README.md file from a private repository. Researcher Sasi Levi identified the root cause as indirect prompt injection, where the agent treats untrusted user-controlled content as trusted instructional input. The vulnerability stems from an architectural reliance on a service account permission model, meaning the agent does not distinguish between public and private repositories if both are marked as accessible.
Noma Security has responsibly disclosed the finding to GitHub and recommends implementing least-privilege access controls. The firm emphasizes that any AI agent with access to both untrusted external content and sensitive internal resources can become a bridge for data leaks if trust boundaries are not enforced. GitHub did not immediately respond to requests for comment.