Auth bypass in Step-security Harden-runner

CVE-2026-32947

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. In versions 2.15.1 and below, a DNS over HTTPS (DoH) vulnerability allows attackers to bypass egress-policy: block network restrictions by tunneling…

EPSS: 0.001 (28.4th percentile) — read the EPSS interpretation.

Affected products

Step-security Harden-runner — versions < 2.16

Weakness classification (CWE)

References

https://github.com/step-security/harden-runner/security/advisories/GHSA-46g3-37rh-v698 (x_refsource_CONFIRM)
https://github.com/step-security/harden-runner/releases/tag/v2.16.0 (x_refsource_MISC)