{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25598", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-03T01:02:46.717Z", "datePublished": "2026-02-09T18:58:57.074Z", "dateUpdated": "2026-02-10T16:00:59.966Z"}, "containers": {"cna": {"title": "Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)", "problemTypes": [{"descriptions": [{"cweId": "CWE-778", "lang": "en", "description": "CWE-778: Insufficient Logging", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq"}, {"name": "https://github.com/step-security/harden-runner/releases/tag/v2.14.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/step-security/harden-runner/releases/tag/v2.14.2"}], "affected": [{"vendor": "step-security", "product": "harden-runner", "versions": [{"version": "< 2.14.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T18:58:57.074Z"}, "descriptions": [{"lang": "en", "value": "Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit. This vulnerability is fixed in 2.14.2."}], "source": {"advisory": "GHSA-cpmj-h4f6-r6pq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:30:23.919109Z", "id": "CVE-2026-25598", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:00:59.966Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25598", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:30:23.919109Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:30:24.585Z"}}], "cna": {"title": "Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)", "source": {"advisory": "GHSA-cpmj-h4f6-r6pq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "step-security", "product": "harden-runner", "versions": [{"status": "affected", "version": "< 2.14.2"}]}], "references": [{"url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq", "name": "https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/step-security/harden-runner/releases/tag/v2.14.2", "name": "https://github.com/step-security/harden-runner/releases/tag/v2.14.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit. This vulnerability is fixed in 2.14.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-778", "description": "CWE-778: Insufficient Logging"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T18:58:57.074Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25598", "state": "PUBLISHED", "dateUpdated": "2026-02-10T16:00:59.966Z", "dateReserved": "2026-02-03T01:02:46.717Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T18:58:57.074Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:stepsecurity:harden-runner:*:*:*:*:community:*:*:*", "matchCriteriaId": "5B714DF6-0FF1-4437-B163-0489E992B020", "versionEndExcluding": "2.14.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit. This vulnerability is fixed in 2.14.2."}, {"lang": "es", "value": "Harden-Runner es un agente de seguridad de CI/CD que funciona como un EDR para los runners de GitHub Actions. Antes de 2.14.2, se ha identificado una vulnerabilidad de seguridad en la acci\u00f3n de GitHub Harden-Runner (Nivel Comunitario) que permite que las conexiones de red salientes evadan el registro de auditor\u00eda. Espec\u00edficamente, el tr\u00e1fico saliente que utiliza las llamadas al sistema de socket sendto, sendmsg y sendmmsg puede eludir la detecci\u00f3n y el registro cuando se utiliza egress-policy: audit. Esta vulnerabilidad est\u00e1 corregida en 2.14.2."}], "id": "CVE-2026-25598", "lastModified": "2026-02-28T00:23:47.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T20:15:58.653", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/step-security/harden-runner/releases/tag/v2.14.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-778"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "harden-runner: Harden-Runner: Outbound network connections can evade audit logging via specific socket system calls.", "id": "2438198", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438198"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-778", "details": ["Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit. This vulnerability is fixed in 2.14.2."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-25598", "package_state": [{"cpe": "cpe:/a:redhat:external_secrets_operator:1", "fix_state": "Fix deferred", "package_name": "external-secrets-operator/bitwarden-sdk-server-rhel9", "product_name": "External Secrets Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:external_secrets_operator:1", "fix_state": "Fix deferred", "package_name": "external-secrets-operator/external-secrets-operator-bundle", "product_name": "External Secrets Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:external_secrets_operator:1", "fix_state": "Fix deferred", "package_name": "external-secrets-operator/external-secrets-operator-rhel9", "product_name": "External Secrets Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:external_secrets_operator:1", "fix_state": "Fix deferred", "package_name": "external-secrets-operator/external-secrets-rhel9", "product_name": "External Secrets Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:gatekeeper:3", "fix_state": "Fix deferred", "package_name": "gatekeeper/gatekeeper-rhel9", "product_name": "Gatekeeper 3"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/addon-manager-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/placement-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/registration-operator-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/registration-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Fix deferred", "package_name": "multicluster-engine/work-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-controller-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-entrypoint-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-events-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-nop-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-resolvers-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-sidecarlogresults-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-webhook-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines/pipelines-workingdirinit-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:windows_machine_config", "fix_state": "Fix deferred", "package_name": "openshift4-wincw/windows-machine-config-operator-bundle", "product_name": "Red Hat OpenShift for Windows Containers"}, {"cpe": "cpe:/a:redhat:windows_machine_config", "fix_state": "Fix deferred", "package_name": "openshift4-wincw/windows-machine-config-rhel9-operator", "product_name": "Red Hat OpenShift for Windows Containers"}], "public_date": "2026-02-09T18:58:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25598\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25598\nhttps://github.com/step-security/harden-runner/releases/tag/v2.14.2\nhttps://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq"], "statement": "This vulnerability is rated as Moderate, in part due to the following necessary preconditions for exploitation to be possible:\n1. Harden-runner must be in audit mode. \n2. The attacker must already have code execution capabilities within the GitHub Actions workflow. \nNote: When using egress-policy: block, these connections are properly blocked.", "threat_severity": "Moderate"}

{"created": "2026-02-10T16:26:52.067640+00:00", "updated": "2026-02-10T16:26:52.067733+00:00", "vendors": ["step_security", "step_security$PRODUCT$harden_runner"]}