'GitLost' Flaw Leaks Private Data From GitHub's Agentic Workflows
The flaw allows an unauthenticated attacker to craft a GitHub Issue in an org's public repository and then silently pull data from its private repos, too.
Unauthenticated access lets systems or services be used without verifying identity, increasing the risk of data exposure, tampering, or abuse.
Search across headline titles and summaries.
Background for this topic.
Unauthenticated describes a request, session, or service that has not verified the requester’s identity. This may be intentional for public content or health checks, but in security reporting the term often highlights an interface that can be reached without credentials, such as an administration panel, API, database, or device-management service. It does not by itself mean the requester is authorized to perform every action; authentication and authorization are separate controls.
Unauthenticated exposure matters when it permits sensitive data retrieval, configuration changes, or exploitation of a vulnerability without a prior login. Security teams should identify such interfaces during asset discovery and vulnerability management, confirm that public access is necessary, and enforce authentication and least-privilege authorization where it is not. Network restrictions, safe defaults, logging, and alerts for unexpected access help reduce exposure and support investigation when an unauthenticated endpoint is abused.
Weekly headline count for the current query.
The flaw allows an unauthenticated attacker to craft a GitHub Issue in an org's public repository and then silently pull data from its private repos, too.
An unauthenticated attacker can exploit the command injection vulnerability to gain remote access to robotic systems, causing significant disruption to the environment.
CVE-2026-2329 allows unauthenticated root-level access to SMB phone infrastructure, so attackers can intercept calls, commit toll fraud, and impersonate users.
A memory leak security vulnerability allows unauthenticated attackers to extract passwords and tokens from MongoDB servers.
The vulnerability could allow an unauthenticated attacker to remotely execute administrative commands.
Secrets managers hold all the keys to an enterprise's kingdom. Two popular ones had longstanding, critical, unauthenticated RCE vulnerabilities.
Using the API Connections for Azure Logic Apps, a security researcher found unauthenticated users could access sensitive data of other customers.
The security vulnerability tracked as CVE-2024-50603, which rates 10 out of 10 on the CVSS scale, enables unauthenticated remote code execution on affected systems, which cyberattackers are using to plant malware.
Fortinet has patched CVE-2023-34990 in its Wireless LAN Manager (FortiWLM), which combined with CVE-2023-48782 could allow for unauthenticated remote code execution (RCE) and the ability to read all log files.
The zero-day (CVE-2024-49138), plus a worryingly critical unauthenticated RCE security vulnerability (CVE-2024-49112), are unwanted gifts for security admins this season.
There is some disagreement over whether the remote code execution (RCE) security flaws allow for unauthenticated exploitation or not. Citrix says no, but researchers say the company is downplaying a "good old unauthenticated RCE."
The unpatched security vulnerability, which doesn't have a CVE yet, is due to an exposed Microsoft Message Queuing (MSMQ) instance and the use of the insecure BinaryFormatter.
Unauthenticated threat actors can remotely cause a denial-of-service (DoS) cyberattack within the Remote Access VPN software in Cisco's ASA and Firepower software.
The popular LiteSpeed Cache plug-in is vulnerable to unauthenticated privilege escalation via a dangerous XSS flaw.
Though the critical vulnerability was patched in August, Ivanti is reminding customers to update as soon as possible as attacks from unauthenticated threat actors start circulating.
The high-severity CVE-2024-6387 in OpenSSH is a reintroduction of a 2006 flaw, and it allows unauthenticated RCE as root.
Corporate admins should patch the max-severity CVE-2024-23108 immediately, which allows unauthenticated command injection.
A vulnerability in the HNAP login request protocol that affects a family of devices gives unauthenticated users root access for command execution.
Researchers discovered seven vulnerabilities — including an unauthenticated RCE issue — in widely deployed Telit Cinterion modems.
An exploit for the vulnerability allows unauthenticated attackers to escape a virtual file system sandbox to download system files and potentially achieve RCE.