Ai Ci Cd Pipelines. CI/CD Pipeline Security Alert: AI Agents Vulnerable to PromptPwnd AttacksResearchers at Aikido Security have uncovered a critical vulnerability in continuous integration/continuous delivery (CI/CD) pi
(CI/CD) pipelines, which can be exploited by attackers to trick AI agents into executing high-privilege commands.
The researchers discovered that workflows combining GitHub Actions or GitLab CI/CD with AI tools like Gemini CLI, Claude Code Actions, OpenAI Codex Actions, or GitHub AI Inference are vulnerable to this attack, which they call PromptPwnd.
According to the researchers, unsupervised user-supplied strings such as issue bodies, pull request descriptions, or commit messages can be fed into prompts for AI agents, leading to unintended edits to repository content, disclosure of secrets, or other high-impact actions.
“AI agents connected to GitHub Actions/GitLab CI/CD are processing untrusted user input, and executing shell commands with access to high-privilege tokens,” the researchers warned.
Aikido Security has open-sourced detection rules via their “Opengrep” tool, which allows developers and security teams to scan their YAML workflows automatically, revealing whether they feed untrusted inputs into AI prompts.
This vulnerability highlights the importance of securing CI/CD pipelines to prevent such attacks. The researchers recommend restricting what AI agents can do, avoiding piping untrusted user content into prompts, treating AI output as untrusted code, and containing damage from compromised GitHub tokens.
Moreover, developer teams are advised to restrict access to high-privilege tokens and ensure that AI agents only execute commands within a controlled environment.
For more information on securing CI/CD pipelines, visit our dedicated resource page on CI/CD pipeline security.
Aikido Security has notified the affected vendors, including Google, which has patched the issue in Gemini CLI. The research firm has also released a code scanner to help flag these vulnerabilities and detect unsafe GitHub Actions configurations.
This attack vector can be particularly problematic, as it exploits two flawed pipeline configurations: when AI agents operating inside CI/CD workflows have access to powerful tokens (like GITHUB_TOKEN, cloud-access keys), and their prompts embed user-controlled fields.
A successful PromptPwnd attack can lead to sensitive information disclosure, unintended repository edits, or other high-impact actions, depending on the workflow and the access rights of the AI agent.
Best practices for securing CI/CD pipelines include regularly reviewing workflow configurations, restricting access to high-privilege tokens, and implementing robust authentication and authorization mechanisms.
By taking proactive measures to secure their CI/CD pipelines, developer teams can prevent such attacks and ensure the integrity of their software development lifecycle.
The full research report on PromptPwnd is available online, including a detailed explanation of the attack vector and mitigation strategies. To learn more about this critical vulnerability, visit the Aikido Security blog.
For more information on securing CI/CD pipelines, consider adopting the following best practices:
- Regularly review workflow configurations and remove unused or unnecessary actions.
- Restrict access to high-privilege tokens and ensure that AI agents only execute commands within a controlled environment.
- Implement robust authentication and authorization mechanisms to prevent unauthorized access.
- Use open-source detection rules and code scanners to identify potential vulnerabilities.
