Critical Remote Code Execution in pull_request_target workflow allows secret exfiltration, repository takeover, and organization package compromise Github Token (detected)
Summary
A critical vulnerability was identified in the ansible/ansible.platform GitHub Actions workflow integration.yml.
The workflow is triggered via pull_request_target, checks out untrusted pull request code, and executes it with base-repository trust, exposed secrets, and a highly privileged GITHUB_TOKEN.
By modifying a Python file in a pull request, an attacker can achieve arbitrary remote code execution (RCE) in the GitHub Actions runner. This enables:
- Exfiltration of sensitive secrets, including
AAP_GATEWAY_REPO_TOKEN
- Full write access to the repository
- Tampering with CI/CD workflows
- Compromise of organization-level GitHub Packages
- Supply-chain attacks affecting downstream consumers
This issue was fully validated with a real proof of concept. Testing was intentionally stopped immediately after validation to comply with responsible disclosure and ethical research practices.
Affected Repository
- Repository:
ansible/ansible.platform
- Workflow:
.github/workflows/integration.yml
- Trigger:
pull_request_target
The vulnerability is exploitable regardless of the permission scope of the following secret:
GH_TOKEN: ${{ secrets.AAP_GATEWAY_REPO_TOKEN }}Any valid permission level (read, write, or scoped access) is sufficient, as the secret is injected directly into the attacker-controlled code's runtime environment.
Fix
PR 103
Vulnerability Details
Root Cause
The workflow explicitly checks out and executes code from the pull request head SHA under pull_request_target, causing untrusted code to run with base-repository credentials rather than fork-restricted permissions.
Multiple subsequent steps execute Python scripts, Make targets, and containerized workloads originating from the untrusted codebase while exposing secrets and a highly privileged GITHUB_TOKEN.
This violates GitHub’s documented security model for pull_request_target, which forbids executing untrusted pull request code with secrets or elevated permissions.
Proof of Concept (Validated)
Remote Code Execution
A malicious modification to a Python file was introduced via a pull request and executed successfully during CI.
Evidence:
https://github.com/ansible/ansible.platform/actions/runs/20446188157/job/58750023002?pr=102#step:3:12
Secret Exposure
Exposed Secret: AAP_GATEWAY_REPO_TOKEN
Attacker-controlled code successfully accessed:
secrets.AAP_GATEWAY_REPO_TOKEN
Evidence:
https://github.com/ansible/ansible.platform/actions/runs/20446188157/job/58750023002?pr=102#step:3:12
The exact permission scope of this token does not affect exploitability. Once exposed, any permission level must be considered compromised.
GITHUB_TOKEN Permissions
The workflow runs with a highly privileged GITHUB_TOKEN, including:
contents: writeactions: writepackages: writepull-requests: writedeployments: writeActions: writeArtifactMetadata: writeAttestations: writePages: write
Evidence:
https://github.com/ansible/ansible.platform/actions/runs/20446188157/job/58750023002?pr=102#step:1:20
Impact
Repository Impact
An attacker can modify code, workflows, releases, and CI behavior.
Organization-Level Impact
-
Actions: write – Enables organization-wide CI/CD abuse, including workflow manipulation, persistence, and lateral movement across repositories.
-
Packages: write – Allows publishing or overwriting organization-scoped packages, enabling large-scale supply-chain compromise.
-
Attestations: write – Permits forging or modifying build provenance, undermining trust in signed artifacts across the organization.
-
SecurityEvents: write – Enables suppression or manipulation of security alerts, allowing vulnerabilities or active compromises to be hidden org-wide.
-
Pages: write – Allows hosting or modifying content under trusted organization domains, enabling phishing or malware distribution.
Because the token includes packages: write, an attacker can publish or overwrite organization-owned packages, enabling supply-chain compromise. i can push and replace any package in your github org (risk of your total environment)
https://github.com/orgs/ansible/packages
AAP_GATEWAY_REPO_TOKEN -
used in other repos can be used for lateral movement
toekn
Supply chain impact
Using the Global org Package permission, an attacker can risk all Ansible users by adding malicious content to the published packages.
Reporter
Barak Haryati | JFrog
This research was conducted as part of JFrog’s Open Source and Supply Chain Security Contribution efforts. 🐸
ScreenShots
Permissions
RCE
Packages page (currently, no changes were made). If you would like to extend the POC, let me know.
data exfiltration
AAP_GATEWAY_REPO_TOKEN
Privildge workflow token
AAP_GATEWAY_REPO_TOKEN
![Screenshot 2025-12-23 at 1 17 20]()
barakharyati Reporter
Critical Remote Code Execution in
pull_request_targetworkflow allows secret exfiltration, repository takeover, and organization package compromise Github Token (detected)Summary
A critical vulnerability was identified in the
ansible/ansible.platformGitHub Actions workflowintegration.yml.The workflow is triggered via
pull_request_target, checks out untrusted pull request code, and executes it with base-repository trust, exposed secrets, and a highly privilegedGITHUB_TOKEN.By modifying a Python file in a pull request, an attacker can achieve arbitrary remote code execution (RCE) in the GitHub Actions runner. This enables:
AAP_GATEWAY_REPO_TOKENThis issue was fully validated with a real proof of concept. Testing was intentionally stopped immediately after validation to comply with responsible disclosure and ethical research practices.
Affected Repository
ansible/ansible.platform.github/workflows/integration.ymlpull_request_targetThe vulnerability is exploitable regardless of the permission scope of the following secret:
Any valid permission level (read, write, or scoped access) is sufficient, as the secret is injected directly into the attacker-controlled code's runtime environment.
Fix
PR 103
Vulnerability Details
Root Cause
The workflow explicitly checks out and executes code from the pull request head SHA under
pull_request_target, causing untrusted code to run with base-repository credentials rather than fork-restricted permissions.Multiple subsequent steps execute Python scripts, Make targets, and containerized workloads originating from the untrusted codebase while exposing secrets and a highly privileged
GITHUB_TOKEN.This violates GitHub’s documented security model for
pull_request_target, which forbids executing untrusted pull request code with secrets or elevated permissions.Proof of Concept (Validated)
Remote Code Execution
A malicious modification to a Python file was introduced via a pull request and executed successfully during CI.
Evidence:
https://github.com/ansible/ansible.platform/actions/runs/20446188157/job/58750023002?pr=102#step:3:12
Secret Exposure
Exposed Secret:
AAP_GATEWAY_REPO_TOKENAttacker-controlled code successfully accessed:
secrets.AAP_GATEWAY_REPO_TOKENEvidence:
https://github.com/ansible/ansible.platform/actions/runs/20446188157/job/58750023002?pr=102#step:3:12
The exact permission scope of this token does not affect exploitability. Once exposed, any permission level must be considered compromised.
GITHUB_TOKEN Permissions
The workflow runs with a highly privileged
GITHUB_TOKEN, including:contents: writeactions: writepackages: writepull-requests: writedeployments: writeActions: writeArtifactMetadata: writeAttestations: writePages: writeEvidence:
https://github.com/ansible/ansible.platform/actions/runs/20446188157/job/58750023002?pr=102#step:1:20
Impact
Repository Impact
An attacker can modify code, workflows, releases, and CI behavior.
Organization-Level Impact
Actions: write – Enables organization-wide CI/CD abuse, including workflow manipulation, persistence, and lateral movement across repositories.
Packages: write – Allows publishing or overwriting organization-scoped packages, enabling large-scale supply-chain compromise.
Attestations: write – Permits forging or modifying build provenance, undermining trust in signed artifacts across the organization.
SecurityEvents: write – Enables suppression or manipulation of security alerts, allowing vulnerabilities or active compromises to be hidden org-wide.
Pages: write – Allows hosting or modifying content under trusted organization domains, enabling phishing or malware distribution.
Because the token includes
packages: write, an attacker can publish or overwrite organization-owned packages, enabling supply-chain compromise. i can push and replace any package in your github org (risk of your total environment)https://github.com/orgs/ansible/packages
AAP_GATEWAY_REPO_TOKEN -
used in other repos can be used for lateral movement
toekn
Supply chain impact
Using the Global org Package permission, an attacker can risk all Ansible users by adding malicious content to the published packages.
Reporter
Barak Haryati | JFrog
This research was conducted as part of JFrog’s Open Source and Supply Chain Security Contribution efforts. 🐸
ScreenShots
Permissions
RCE
Packages page (currently, no changes were made). If you would like to extend the POC, let me know.
data exfiltration
AAP_GATEWAY_REPO_TOKEN
Privildge workflow token
AAP_GATEWAY_REPO_TOKEN
![Screenshot 2025-12-23 at 1 17 20]()
