16 GitHub Workflows Found Vulnerable to Unauthorized Comment-Triggered Execution, Affecting 1,451 Instances

A critical security misconfiguration has been identified across multiple GitHub repositories where workflows triggered by user comments lack proper authorization verification, potentially allowing arbitrary external users to execute privileged operations. The vulnerability, designated RGS-004, was detected in 16 unique workflows with a combined total of 1,451 finding occurrences, according to automated security analysis.

The flaw specifically affects workflows triggered by `issue_comment`, `pull_request_review_comment`, or `workflow_run` events that access secrets or hold write permissions. The `issue_comment` event fires for comments from any GitHub user, including those with no affiliation to the repository. Without an explicit check on `github.event.comment.author_association` to verify the commenter holds an appropriate authorization level—such as OWNER, MEMBER, or COLLABORATOR status—the workflow grants execution privileges to external parties.

The implications are significant. If the affected workflows perform deployments, access sensitive credentials, or possess write permissions, this misconfiguration effectively extends those capabilities to any GitHub user willing to post a comment on an open issue or pull request. Organizations using these workflows face elevated risk of unauthorized code execution, secret exfiltration, or unintended infrastructure changes triggered by bad actors. Security researchers recommend implementing explicit authorization checks before any privileged operation within comment-triggered workflows.