CI/CD Security Agent Vulnerability in Harden-Runner by Step Security
CVE-2026-32946

4.6MEDIUM

Key Information:

Vendor: Step-security
Status: Harden-runner
Vendor: CVE Published:; 20 March 2026

🔔 Create Step-security Vulnerability Alert

What is CVE-2026-32946?

The Harden-Runner, a CI/CD security agent, suffers from a vulnerability that allows attackers to bypass egress policies using DNS queries over TCP. This issue affects versions 2.15.1 and below, where outbound network connections are not adequately filtered, allowing unauthorized traffic through. The vulnerability necessitates that an attacker already possesses code execution capabilities within a GitHub Actions workflow. This oversight can be exploited using tools like 'dig' to initiate TCP-based DNS queries, potentially leading to unauthorized data exfiltration. The issue has been rectified in version 2.16.0, which addresses this security flaw.

Affected Version(s)

harden-runner < 2.16.0

References

https://github.com/step-security/harden-runner/security/a...

x_refsource_CONFIRM

https://github.com/step-security/harden-runner/releases/t...

x_refsource_MISC

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-32946 Data

JSON