🟠 High | Source: The Hacker News
GitHub is updating its widely-used ‘actions/checkout’ action to block ‘pwn request’ attacks, where malicious code in pull requests gains full workflow privileges via the ‘pull_request_target’ trigger. Effective 18 June 2026, the new version introduces safeguards to prevent untrusted code from executing in privileged workflow contexts. This matters because successful exploitation allows attackers to exfiltrate secrets, tamper with pipelines, or compromise downstream software supply chains.
Security Architect’s Take: Audit all workflows using ‘pull_request_target’ to ensure untrusted code is never checked out into a privileged context, and pin ‘actions/checkout’ to the updated version as soon as it is released. Where ‘pull_request_target’ is genuinely required, enforce explicit trust boundaries by separating secret-access steps from any code sourced from forks.
Original advisory: GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns