Description
Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit. This vulnerability is fixed in 2.14.2.
Published: 2026-02-09
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Audit Log Evasion
Action: Apply Patch
AI Analysis

Impact

The flaw in Harden-Runner allows outbound traffic created with sendto, sendmsg, and sendmmsg socket calls to bypass the audit logging configured with egress-policy: audit. This is a CWE‑778 vulnerability that undermines the integrity of audit records by permitting connections to go unseen. Based on the description, it is inferred that an attacker who can trigger code execution on the runner could establish network connections that remain invisible to monitoring, potentially enabling data exfiltration or covert command‑and‑control sessions.

Affected Systems

Affected are versions of step-security Harden‑Runner prior to v2.14.2, specifically the Community Tier. The issue applies to any runner instance with egress-policy set to audit. The product is identified as step-security Harden‑Runner community edition.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need to control the runner environment or inject malicious workflow code to leverage the bypass. Given the moderate scoring and low exploitation likelihood, the overall risk is considered moderate but should not be ignored.

Generated by OpenCVE AI on April 18, 2026 at 12:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Harden-Runner to version 2.14.2 or later, which blocks sendto, sendmsg, and sendmmsg from bypassing audit logging.
  • Confirm that the egress-policy parameter remains set to audit after the upgrade.
  • If an upgrade is not immediately possible, restrict the runner’s outbound network permissions or apply firewall rules to monitor or block suspicious connections.

Generated by OpenCVE AI on April 18, 2026 at 12:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cpmj-h4f6-r6pq Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)
History

Sat, 28 Feb 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Stepsecurity
Stepsecurity harden-runner
CPEs cpe:2.3:a:stepsecurity:harden-runner:*:*:*:*:community:*:*:*
Vendors & Products Stepsecurity
Stepsecurity harden-runner
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Thu, 12 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Moderate

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Step Security
Step Security harden Runner
Vendors & Products Step Security
Step Security harden Runner

Mon, 09 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit. This vulnerability is fixed in 2.14.2.
Title Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)
Weaknesses CWE-778
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Step Security Harden Runner
Stepsecurity Harden-runner
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T16:00:59.966Z

Reserved: 2026-02-03T01:02:46.717Z

Link: CVE-2026-25598

cve-icon Vulnrichment

Updated: 2026-02-10T15:30:24.585Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T20:15:58.653

Modified: 2026-02-28T00:23:47.940

Link: CVE-2026-25598

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-09T18:58:57Z

Links: CVE-2026-25598 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses