CI/CD pull_request_target Pwn Request
discovered 2026-07-14A GitHub Actions workflow triggered by pull_request_target (which runs with repository secrets) is misconfigured to check out the untrusted PR head instead of the base branch. Attacker-controlled PR code therefore executes in a privileged context and reads/exfiltrates workflow secrets. Here it stole the org-wide asyncapi-bot Personal Access Token via PR #2155.