CVE-2026-25598

EPSS 0.02%
Veröffentlicht 09.02.2026 18:58:57
Zuletzt bearbeitet 28.02.2026 00:23:47
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit. This vulnerability is fixed in 2.14.2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Stepsecurity ≫ Harden-runner SwEditioncommunity Version < 2.14.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.037

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com	6.3	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-778 Insufficient Logging

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq

Vendor Advisory

https://github.com/step-security/harden-runner/releases/tag/v2.14.2

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-25598

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25598

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25598

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-25598