CVE-2026-44246
nnU-Net: Agentic workflow injection in `.github/workflows/issue-triage.yml` of `MIC-DKFZ/nnUNet`
In short
nnU-Net's automated issue management workflow can be manipulated by attackers through crafted GitHub issues. An attacker can inject malicious instructions into an issue title or description, causing an AI agent to perform unintended actions like changing issue labels or posting comments.
Technical detail
CWE-1427 Agentic Workflow Injection in .github/workflows/issue-triage.yml allows untrusted user-supplied issue content (title, body) to be directly embedded in prompts sent to Claude code agent without sanitization. The workflow grants the agent gh command execution permissions with write access to the repository, enabling authenticated state-changing operations (relabel, comment) triggered by any issue.opened event from external users.
Summary generated and translated by AI from the official description.
nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in .github/workflows/issue-triage.yml is vulnerable to Agentic Workflow Injection. The workflow sets allowed_non_write_users: ${{ github.event.issue.user.login }}, which means any logged-in GitHub user who opens an issue can reach this agentic workflow with attacker-controlled content. Untrusted issue title and body content are embedded directly into the prompt of anthropics/claude-code-action, and the workflow then runs a command-capable Claude agent with permission to comment on and relabel the current issue via gh. Because this workflow is triggered automatically on issues.opened, an external attacker can submit a crafted issue that steers the agent beyond its intended issue-triage purpose and influences authenticated issue actions. This vulnerability is fixed in 2.4.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N