CVE-2026-32946
DNS Egress Bypass in Harden-Runner Enables Network Restriction Evasion
Publication date: 2026-03-20
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stepsecurity | harden-runner | to 2.16.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32946 is a moderate severity vulnerability in the Community Tier of Harden-Runner (version 2.15.1 and below) that allows bypassing the egress-policy: block network restriction via DNS queries over TCP.
Harden-Runner enforces egress policies on GitHub runners by filtering outbound network connections, typically restricting traffic to a specified allowed-endpoints list (e.g., only github.com:443). However, DNS queries over TCPβcommonly used for large DNS responses or as a fallback from UDPβare not properly restricted.
Attackers with existing code execution capabilities within a GitHub Actions workflow can exploit this by initiating TCP-based DNS queries (for example, using tools like dig with the +tcp flag) to external DNS resolvers, thereby circumventing the egress block and enabling unauthorized outbound communication.
This vulnerability affects only the Community Tier; the Enterprise Tier is not impacted. It has been fixed in Harden-Runner version 2.16.0.
How can this vulnerability impact me? :
This vulnerability allows an attacker who already has code execution capabilities within a GitHub Actions workflow to bypass network egress restrictions.
By exploiting DNS queries over TCP, the attacker can initiate unauthorized outbound network communication despite restrictive egress policies that should block such traffic.
This could lead to data exfiltration or communication with unauthorized external systems, potentially compromising the security of your CI/CD environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for DNS queries over TCP originating from GitHub Actions runners using Harden-Runner versions 2.15.1 and below. Since the vulnerability involves bypassing egress-policy block restrictions via TCP-based DNS queries, one way to detect it is to look for DNS queries using TCP instead of the usual UDP.
A practical command to test or detect this behavior is to use the dig tool with the +tcp flag to explicitly initiate DNS queries over TCP. For example:
- dig +tcp example.com
If such TCP DNS queries are allowed despite restrictive egress policies, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Harden-Runner to version 2.16.0 or later, where this vulnerability has been fixed.
Until the upgrade is applied, be aware that egress-policy block restrictions can be bypassed via DNS queries over TCP, so consider additional network monitoring or restrictions to detect or block such traffic.