CVE-2026-25598

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit. This vulnerability is fixed in 2.14.2.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/step-security/harden-runner/releases/tag/v2.14.2	Release Notes
https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:stepsecurity:harden-runner:*:*:*:*:community:*:*:*

History

28 Feb 2026, 00:23

Type	Values Removed	Values Added
References	~~() https://github.com/step-security/harden-runner/releases/tag/v2.14.2 -~~	() https://github.com/step-security/harden-runner/releases/tag/v2.14.2 - Release Notes
References	~~() https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq -~~	() https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
Summary		(es) Harden-Runner es un agente de seguridad de CI/CD que funciona como un EDR para los runners de GitHub Actions. Antes de 2.14.2, se ha identificado una vulnerabilidad de seguridad en la acción de GitHub Harden-Runner (Nivel Comunitario) que permite que las conexiones de red salientes evadan el registro de auditoría. Específicamente, el tráfico saliente que utiliza las llamadas al sistema de socket sendto, sendmsg y sendmmsg puede eludir la detección y el registro cuando se utiliza egress-policy: audit. Esta vulnerabilidad está corregida en 2.14.2.
CPE		cpe:2.3:a:stepsecurity:harden-runner:::::community:::*
First Time		Stepsecurity harden-runner Stepsecurity

09 Feb 2026, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-09 20:15

Updated : 2026-02-28 00:23

NVD link : CVE-2026-25598

Mitre link : CVE-2026-25598

CVE.ORG link : CVE-2026-25598

JSON object : View

Products Affected

stepsecurity

harden-runner

CWE

CWE-778

Insufficient Logging

5.3 /10