CVE-2026-44246 Overview
CVE-2026-44246 is an agentic workflow injection vulnerability in nnU-Net, a semantic segmentation framework that automatically adapts its pipeline to a dataset. The flaw exists in the Issue Triage GitHub Actions workflow defined in .github/workflows/issue-triage.yml. Versions prior to 2.4.1 allow any authenticated GitHub user who opens an issue to inject attacker-controlled content directly into a Claude-powered agent prompt. The agent then runs with permissions to comment on and relabel issues, enabling abuse of the authenticated workflow context. The vulnerability is fixed in version 2.4.1.
Critical Impact
Any logged-in GitHub user can submit a crafted issue to steer an automated agent into performing authenticated actions on the repository beyond its intended triage scope.
Affected Products
- nnU-Net (MIC-DKFZ/nnUNet) versions prior to 2.4.1
- Repositories using the issue-triage.yml workflow with anthropics/claude-code-action
- GitHub Actions environments configured with allowed_non_write_users: ${{ github.event.issue.user.login }}
Discovery Timeline
- 2026-05-12 - CVE-2026-44246 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44246
Vulnerability Analysis
The nnU-Net Issue Triage workflow is triggered automatically on the issues.opened event. The workflow embeds untrusted issue title and body content directly into the prompt passed to anthropics/claude-code-action. Because the action is configured as a command-capable Claude agent, the prompt content can influence agent behavior. The agent holds permissions to comment on issues and apply labels via the gh CLI within the authenticated workflow context.
The allowed_non_write_users field is dynamically set to ${{ github.event.issue.user.login }}, which resolves to the issue author. This configuration effectively grants every issue submitter the ability to reach the agentic workflow. An external attacker without write access to the repository can deliver prompt-injection payloads through normal issue submission.
Root Cause
The root cause is unsafe inclusion of attacker-controlled text in an LLM agent prompt combined with an overly permissive access gate. Issue body and title fields are not sanitized or isolated before being concatenated into the agent prompt. The workflow trusts the issue author identity as an authorization boundary, but issue creation is open to any GitHub user.
Attack Vector
An attacker creates a GitHub account and opens an issue against the nnU-Net repository. The issue body contains instructions crafted to override the agent's intended triage role. When the workflow fires, the Claude agent processes the injected instructions and may execute permitted gh commands such as posting comments or relabeling the issue. This produces authenticated actions attributed to the workflow rather than the attacker.
The vulnerability requires no privileges, no user interaction by maintainers, and is reachable over the network through standard GitHub issue submission. See the GitHub Security Advisory GHSA-63mx-j37w-gh59 for full technical context.
Detection Methods for CVE-2026-44246
Indicators of Compromise
- Issues from low-reputation or newly created GitHub accounts containing prompt-style directives such as "ignore previous instructions" or embedded role markers
- Unexpected label changes or automated comments on issues that do not match the documented triage logic
- Workflow run logs from issue-triage.yml showing agent tool invocations beyond standard triage actions
Detection Strategies
- Audit GitHub Actions run history for the issue-triage workflow and compare agent outputs against expected triage behavior
- Review issue bodies submitted before patching for prompt-injection patterns targeting claude-code-action
- Monitor repository audit logs for label or comment activity correlated with issues.opened events from non-collaborator accounts
Monitoring Recommendations
- Enable GitHub Actions workflow run notifications and forward logs to a centralized SIEM for analysis
- Track changes to files under .github/workflows/ and alert on modifications to allowed_non_write_users or agent permission fields
- Establish a baseline of expected triage agent actions and alert on deviations such as unprompted comments or unauthorized label changes
How to Mitigate CVE-2026-44246
Immediate Actions Required
- Upgrade nnU-Net to version 2.4.1 or later, which contains the fix for this workflow
- Review prior workflow runs of issue-triage.yml for any agent actions that may have been influenced by malicious issue content
- Restrict allowed_non_write_users to a vetted set of identities rather than dynamically resolving to the issue author
Patch Information
The MIC-DKFZ maintainers released the fix in nnU-Net 2.4.1. Repository operators should pull the updated workflow file from the upstream release and replace any locally maintained copy of .github/workflows/issue-triage.yml. Full remediation details are available in the GitHub Security Advisory GHSA-63mx-j37w-gh59.
Workarounds
- Disable the issue-triage.yml workflow until the patched version is deployed
- Remove the dynamic ${{ github.event.issue.user.login }} value from allowed_non_write_users and replace it with explicit maintainer logins
- Sanitize or wrap untrusted issue title and body fields before passing them to the agent prompt, treating them as data rather than instructions
- Reduce agent tool permissions so the workflow cannot comment or relabel based on untrusted input
# Configuration example: disable the vulnerable workflow until patched
gh workflow disable issue-triage.yml --repo MIC-DKFZ/nnUNet
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
