Vulnerability in Step-security Harden-runner

CVE-2026-25598

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network conne…

EPSS: 0.000 (5.3th percentile) — read the EPSS interpretation.

Affected products

Step-security Harden-runner — versions < 2.14.2

Weakness classification (CWE)

CWE-778

References

https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq (x_refsource_CONFIRM)
https://github.com/step-security/harden-runner/releases/tag/v2.14.2 (x_refsource_MISC)