CVE-2026-25598

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit. This vulnerability is fixed in 2.14.2.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/step-security/harden-runner/releases/tag/v2.14.2	Release Notes
https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:stepsecurity:harden-runner:*:*:*:*:community:*:*:*

History

No history.

Information

Published : 2026-02-09 20:15

Updated : 2026-02-28 00:23

NVD link : CVE-2026-25598

Mitre link : CVE-2026-25598

CVE.ORG link : CVE-2026-25598

JSON object : View

Products Affected

stepsecurity

harden-runner

CWE

CWE-778

Insufficient Logging

{"id": "CVE-2026-25598", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-09T20:15:58.653", "references": [{"url": "https://github.com/step-security/harden-runner/releases/tag/v2.14.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-778"}]}], "descriptions": [{"lang": "en", "value": "Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit. This vulnerability is fixed in 2.14.2."}, {"lang": "es", "value": "Harden-Runner es un agente de seguridad de CI/CD que funciona como un EDR para los runners de GitHub Actions. Antes de 2.14.2, se ha identificado una vulnerabilidad de seguridad en la acci\u00f3n de GitHub Harden-Runner (Nivel Comunitario) que permite que las conexiones de red salientes evadan el registro de auditor\u00eda. Espec\u00edficamente, el tr\u00e1fico saliente que utiliza las llamadas al sistema de socket sendto, sendmsg y sendmmsg puede eludir la detecci\u00f3n y el registro cuando se utiliza egress-policy: audit. Esta vulnerabilidad est\u00e1 corregida en 2.14.2."}], "lastModified": "2026-02-28T00:23:47.940", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:stepsecurity:harden-runner:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "5B714DF6-0FF1-4437-B163-0489E992B020", "versionEndExcluding": "2.14.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}