CVE-2026-44246: nnU-Net Agentic Workflow Injection Puts GitHub Workflows at Risk
The National Vulnerability Database has detailed CVE-2026-44246, a high-severity Agentic Workflow Injection vulnerability in nnU-Net, a semantic segmentation framework. Prior to version 2.4.1, nnU-Net’s Issue Triage workflow (located in .github/workflows/issue-triage.yml) allowed any logged-in GitHub user to exploit a critical flaw. By setting allowed_non_write_users: $, the workflow enabled an attacker to reach an agentic workflow with arbitrary, attacker-controlled content.
This vulnerability arises because untrusted issue titles and body content are directly embedded into the prompt of anthropics/claude-code-action. The workflow then executes a command-capable Claude agent with permissions to comment on and relabel the current issue via gh. Since this workflow triggers automatically on issues.opened, a malicious actor can submit a specially crafted issue. This issue can then steer the agent beyond its intended issue-triage purpose, influencing authenticated issue actions and potentially leading to unauthorized operations within the repository.
Organizations leveraging nnU-Net, particularly those with GitHub workflows tied to issue management, face a significant risk. The ability to manipulate an automated agent through a simple issue submission is a potent attack vector, bypassing traditional access controls. The National Vulnerability Database confirms that this issue is fixed in nnU-Net version 2.4.1, making immediate upgrades crucial for mitigation.
What This Means For You
- If your organization uses nnU-Net, especially with GitHub workflows that automate issue triage, you need to verify your version immediately. This isn't just a theoretical vulnerability; it's a direct path for external attackers to manipulate your repository's automated processes. Patch to nnU-Net 2.4.1 or later without delay. Also, review any custom GitHub workflows that process untrusted input from issues or pull requests, particularly those interacting with AI agents or executing commands, to ensure they are not similarly vulnerable to prompt injection or agentic workflow manipulation.
Related ATT&CK Techniques
🛡️ Detection Rules
6 rules · 6 SIEM formats6 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Credential Abuse from Breached Vendor — CVE-2026-44246
title: Credential Abuse from Breached Vendor — CVE-2026-44246
id: scw-2026-05-12-1
status: experimental
level: high
description: |
Monitor for authentication attempts using credentials from target.local, potentially exposed in the CVE-2026-44246 breach.
author: SCW Feed Engine (auto-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44246/
tags:
- attack.initial_access
- attack.t1078.004
logsource:
category: authentication
detection:
selection:
User|endswith:
- '@target.local'
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-44246
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44246 | Agentic Workflow Injection | nnU-Net framework versions prior to 2.4.1 |
| CVE-2026-44246 | Agentic Workflow Injection | Vulnerable workflow: .github/workflows/issue-triage.yml |
| CVE-2026-44246 | Agentic Workflow Injection | Vulnerable component: anthropics/claude-code-action |
| CVE-2026-44246 | Agentic Workflow Injection | Attack vector: Crafted GitHub issue title and body content |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8449: Linux ksmbd Heap Corruption Allows Remote Kernel RCE
CVE-2026-8449 — Linux ksmbd contains a remote memory corruption vulnerability in the ACL inheritance path that allows remote clients with directory creation permissions to trigger...
Heym Sandbox Escape Vulnerability (CVE-2026-45227) Allows Arbitrary Host Commands
CVE-2026-45227 — Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions...
Heym Path Traversal (CVE-2026-45225) Allows Arbitrary File Writes
CVE-2026-45225 — Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary...