“GitLost” Bug Can Expose Private GitHub Repository Data Through Agentic Workflows

A newly identified flaw nicknamed GitLost may let an attacker access information from private GitHub repositories by abusing an organization’s public issue workflow. According to the report, the attac...

A newly identified flaw nicknamed GitLost may let an attacker access information from private GitHub repositories by abusing an organization’s public issue workflow. According to the report, the attacker does not need prior authentication to trigger the problem: they can submit a crafted GitHub Issue in a public repository and use that entry to influence automated agentic processes tied to the organization’s codebase.

The concern is that these workflows can end up processing the issue content in ways that reach beyond the public repository. In the scenario described, the malicious issue can quietly cause private repository data to be pulled into a context where it should not be exposed. That makes the flaw especially relevant for organizations that connect public-facing issue trackers with automation that has access to internal or sensitive projects.

While the details disclosed so far are limited, the finding highlights a broader risk around AI-assisted and agent-driven development pipelines. When automated systems are allowed to read issues, summarize content, or take follow-up actions across multiple repositories, an attacker may be able to steer those systems into revealing information that was never meant for public viewing.

Why it matters

  • The attack can be initiated through a public repository issue.
  • No authentication is required to submit the malicious input, based on the report.
  • Private repository material may be exposed indirectly through connected workflows.
  • Organizations using agentic automation should review how public and private repositories interact.

Security teams that rely on GitHub automation may want to examine repository permissions, issue-handling logic, and any agents that can access both public and private assets. Limiting cross-repository access and validating untrusted issue content are common steps that can reduce the chances of a similar data exposure path.