CVE-2026-32947

CVE-2026-32947 is a medium-severity incorrect authorization vulnerability in step-security/harden-runner (actions), affecting versions <= 2.15.1. It is fixed in 2.16.0.

Summary

A vulnerability exists in the Community Tier of Harden-Runner that allows bypassing the egress-policy: block network restriction using DNS over HTTPS (DoH).

Harden-Runner secures GitHub Actions workflows on runners by applying network policies, including an allowed-endpoints configuration that limits outbound traffic to specified domains and ports (e.g., github.com:443). In egress-policy: block mode, non-compliant connections are intercepted and denied.

This vulnerability exploits DoH, a protocol that encapsulates DNS queries within HTTPS requests. By crafting a DNS query that embeds exfiltrated data as a subdomain (e.g., encoding the runner's hostname into a label), an attacker can route the request through a permitted HTTPS endpoint like dns.google (8.8.8.8's DoH service). The resolver processes the query and forwards it to the attacker's controlled domain, achieving exfiltration without directly accessing the blocked destination. This evades Harden-Runner's domain-based filtering, as the initial HTTPS connection appears legitimate.

This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow.

The Enterprise Tier of Harden-Runner is not affected by this vulnerability.

For Community Tier Users

Upgrade to Harden-Runner v2.16.0 or later.

For Enterprise Tier Users

No action required. Enterprise tier customers are not affected by this vulnerability.

Credit

We would like to thank Devansh Batham for responsibly disclosing this vulnerability through our security reporting process.

Impact

When Harden-Runner is configured with egress-policy: block and a restrictive allowed-endpoints list, an attacker with existing code execution capabilities within a GitHub Actions workflow can bypass the allowed domains check via DNS over HTTPS by proxying DNS queries through a permitted resolver (e.g., Google's DoH service). This allows data exfiltration even when allowed-endpoints is set to only whitelisted domains.

This vulnerability affects only the Community Tier. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow.

The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.

Affected versions

step-security/harden-runner (<= 2.15.1)

Security releases

step-security/harden-runner → 2.16.0 (actions)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade step-security/harden-runner to 2.16.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-32947? CVE-2026-32947 is a medium-severity incorrect authorization vulnerability in step-security/harden-runner (actions), affecting versions <= 2.15.1. It is fixed in 2.16.0. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
  2. Which versions of step-security/harden-runner are affected by CVE-2026-32947? step-security/harden-runner (actions) versions <= 2.15.1 is affected.
  3. Is there a fix for CVE-2026-32947? Yes. CVE-2026-32947 is fixed in 2.16.0. Upgrade to this version or later.
  4. Is CVE-2026-32947 exploitable, and should I be worried? Whether CVE-2026-32947 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-32947 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-32947? Upgrade step-security/harden-runner to 2.16.0 or later.

Other vulnerabilities in step-security/harden-runner

CVE-2026-32947CVE-2026-32946CVE-2025-32955CVE-2024-52587

Stop the waste.
Protect your environment with Kodem.