nnU-Net Agentic Workflow Injection Vulnerability in Issue Triage Workflow

A vulnerability allowing agentic workflow injection has been identified in the nnU-Net semantic segmentation framework, specifically in the Issue Triage workflow of the GitHub repository MIC-DKFZ/nnUNet, prior to version 2.4.1. The issue arises because the workflow allows any logged-in GitHub user to inject untrusted content into a command-capable agent, which can then manipulate issue comments and labels. This exploitation is possible as the workflow automatically triggers on newly opened issues, creating a pathway for external attackers to influence repository management actions.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of issue comments and labels through automated workflow actions, disrupting the intended issue management process.

Reproduction

To reproduce this vulnerability, open a new issue in the MIC-DKFZ/nnUNet repository. Include prompt-injection content in the issue title or body, such as instructions for the agent to disregard previous triage guidelines, post a specific comment, and apply a particular label. Once the issue is submitted, the nnU-Net Issue Triage workflow will automatically activate. After the workflow runs, check the issue to see if the agent followed the injected instructions by posting comments or changing labels as directed.

Remediation

Users are advised to update to nnU-Net version 2.4.1 or later, and to avoid embedding raw issue content directly into the workflow's agent prompt. Instead, only the issue number should be passed, with content retrieved in a more controlled manner. All issue data should be treated as untrusted and clearly separated from operational instructions.