Exploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijacking

A new class of CI/CD vulnerabilities called Cordyceps has been discovered in GitHub Actions YAML configurations that allows unauthenticated attackers to hijack repositories and steal credentials. The flaws exploit workflow composition logic rather than individual components, bypassing traditional scanners and affecting millions of open-source repos from Microsoft, Google, and Apache. Attackers can achieve command injection, artifact poisoning, and full repository control.

CRITICALAdvisoryJun 24, 2026

Action required

Audit all GitHub Actions YAML files in your organization for untrusted variable interpolation, dynamic workflow triggers, and credential exposure patterns. Prioritize repositories with write access to production systems. Enable branch protection rules and require code reviews for all workflow changes.

Affected products

GitHub ActionsMicrosoftGoogleApacheCloudflare

Linked articles

Exploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijacking

Source links

https://www.securityweek.com/exploitable-ci-cd-vulnerabilities-expose-millions-of-repositories-to-hijacking/