CVE-2026-25598

EUVD-2026-6837

09.02.2026, 20:15

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Prior to 2.14.2, a security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit. This vulnerability is fixed in 2.14.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
stepsecurity	harden-runner	𝑥 < 2.14.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-778 - Insufficient Logging
When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it.

References

https://github.com/step-security/harden-runner/releases/tag/v2.14.2

https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq