Recent research highlights a growing security concern involving AI agents integrated into continuous integration and delivery (CI/CD) pipelines. These AI tools, when paired with popular platforms like GitHub and GitLab, can be exploited through crafted user inputs, leading to potential high-privilege actions.

The Core Issue: Prompt Injection in CI/CD Workflows

Researchers at Aikido Security have identified that AI-powered workflows—using tools such as Gemini CLI, Claude Code Actions, OpenAI Codex Actions, and GitHub AI Inference—are susceptible to prompt injection attacks. Attackers can insert malicious commands into GitHub issues, pull request descriptions, or commit messages, which are then processed directly by AI agents within the pipeline.

This vulnerability, dubbed PromptPwnd, allows malicious inputs to be fed into AI prompts, potentially causing unintended actions such as repository modifications, secret disclosures, or executing commands with high privileges.

How the Exploit Works

The attack relies on two flawed configurations: AI agents with access to powerful tokens like GITHUB_TOKEN or cloud keys, and prompts that embed user-controlled content. When an attacker posts a malicious issue or comment, they can hide instructions that the AI may interpret as commands.

If these prompts are directly used within the CI/CD workflow, the AI’s responses can manipulate the pipeline—executing commands that retrieve sensitive data or alter the repository. Aikido Security demonstrated this by manipulating Gemini CLI in a controlled environment to execute attacker-supplied commands and expose credentials.

Implications and Recommendations

This vulnerability is not limited to Gemini CLI; similar architectures are used across various AI-powered GitHub Actions, including Claude Code, OpenAI Codex, and GitHub AI Inference. All are potentially exploitable via user-controlled text inputs.

To mitigate this risk, Aikido Security recommends implementing open-source detection tools that scan suspected workflow configuration files and using their free code scanners on repositories. Notably, Google addressed the Gemini CLI vulnerability after being notified, though other tools may still require vigilance.

The key takeaway is the importance of validating and sanitizing user inputs in AI-integrated CI/CD workflows to prevent malicious prompt injections and safeguard sensitive assets.

Inspired by

• https://www.infoworld.com/article/4101743/ai-in-ci-cd-pipelines-can-be-tricked-into-behaving-badly.html

Sources

• aikido.dev
• github.com
• csoonline.com