{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32946", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.284Z", "datePublished": "2026-03-20T03:58:40.557Z", "dateUpdated": "2026-03-20T03:58:40.557Z"}, "containers": {"cna": {"title": "Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier)", "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/step-security/harden-runner/security/advisories/GHSA-g699-3x6g-wm3g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-g699-3x6g-wm3g"}, {"name": "https://github.com/step-security/harden-runner/releases/tag/v2.16.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/step-security/harden-runner/releases/tag/v2.16.0"}], "affected": [{"vendor": "step-security", "product": "harden-runner", "versions": [{"version": "< 2.16.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T03:58:40.557Z"}, "descriptions": [{"lang": "en", "value": "Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. In versions 2.15.1 and below, the Harden-Runner that allows bypass of the egress-policy: block network restriction using DNS queries over TCP. Egress policies are enforced on GitHub runners by filtering outbound connections at the network layer. When egress-policy: block is enabled with a restrictive allowed-endpoints list (e.g., only github.com:443), all non-compliant traffic should be denied. However, DNS queries over TCP, commonly used for large responses or fallback from UDP, are not adequately restricted. Tools like dig can explicitly initiate TCP-based DNS queries (+tcp flag) without being blocked. This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow. The issue has been fixed in version 2.16.0."}], "source": {"advisory": "GHSA-g699-3x6g-wm3g", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. In versions 2.15.1 and below, the Harden-Runner that allows bypass of the egress-policy: block network restriction using DNS queries over TCP. Egress policies are enforced on GitHub runners by filtering outbound connections at the network layer. When egress-policy: block is enabled with a restrictive allowed-endpoints list (e.g., only github.com:443), all non-compliant traffic should be denied. However, DNS queries over TCP, commonly used for large responses or fallback from UDP, are not adequately restricted. Tools like dig can explicitly initiate TCP-based DNS queries (+tcp flag) without being blocked. This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow. The issue has been fixed in version 2.16.0."}], "id": "CVE-2026-32946", "lastModified": "2026-03-20T04:16:50.107", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T04:16:50.107", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/step-security/harden-runner/releases/tag/v2.16.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-g699-3x6g-wm3g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.16.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "harden-runner", "source": "cna", "vendor": "step-security"}, "product": "harden_runner", "vendor": "step_security"}], "analysis": {"en": {"generated_at": "2026-03-20T05:22:30.427447+00:00", "value": {"mitigation_remediation": ["Upgrade to Harden\u2011Runner version 2.16.0 or later."], "summary": {"action": "Patch", "impact": "Egress Policy Bypass via DNS over TCP"}, "threat_synthesis": {"affected_systems": "The affected product is step-security:harden-runner. Versions 2.15.1 and earlier of Harden\u2011Runner are impacted. These versions are used as a CI/CD security agent that enforces outbound network restrictions on GitHub Actions runners. The vulnerability was addressed in Harden\u2011Runner release 2.16.0.", "description_and_impact": "The vulnerability in Harden-Runner (Community Tier) allows an attacker who has code execution privileges within a GitHub Actions workflow to bypass the egress\u2011policy: block restriction. By issuing DNS queries over TCP\u2014a method normally used for large responses or as a fallback from UDP\u2014the attacker can route traffic to disallowed endpoints that are otherwise blocked by the runner\u2019s network\u2011layer filter. The issue corresponds to CWE\u2011693 (Improper Restriction of Operations within the Boundary) and CWE\u2011863 (Improper Neutralization of Intended Functions). It does not enable arbitrary code execution but can be used to exfiltrate data or reach services that should be unreachable under a strict egress policy.", "risk_and_exploitability": "The CVSS score is 4.6, indicating moderate overall risk. EPSS information is unavailable, and the vulnerability is not listed in CISA\u2019s KEV catalog. Because the attack requires pre\u2011existing code execution inside the workflow, the exploitability is limited to environments where a malicious or compromised workflow can run code. Nonetheless, once code execution is achieved, the attacker can use tools such as dig with the +tcp flag to send DNS queries over TCP that are not properly vetted by the egress policy."}}}}, "created": "2026-03-20T08:52:44.109373+00:00", "updated": "2026-03-20T10:37:25.901094+00:00", "vendors": ["step_security", "step_security$PRODUCT$harden_runner"]}