websights

GitLost isn’t a bug but it is your problem

by

GitLost

When researchers disclosed GitLost, a critical prompt injection vulnerability within GitHub’s new Agentic Workflows on July 7, the headlines made it sound like a bug.

But the real story is about agent permissions, access and authorization.

GitLost exposed a much broader security problem that extends far beyond GitHub: AI agents are operating with legitimate access to business systems, yet most organizations have little visibility into what those agents can actually reach or controls to stop them from using that access in unintended ways.

The attacker didn’t steal credentials or exploit a software vulnerability. They simply convinced an AI agent to use permissions it already had. 

What Actually Happened

The vulnerable workflow was remarkably ordinary. A GitHub Agentic Workflow was configured to trigger when an issue was assigned, read the issue title and body, and post a response. It’s a common automation pattern.

The problem wasn’t the workflow itself. It was the permissions behind it.

The agent also had read access to other repositories across the organization, including private ones. That access wasn’t required for responding to GitHub issues, but it existed as standing permission.

Noma Security’s proof of concept showed how easily that access could be abused. By embedding natural-language instructions inside the issue body, an unauthenticated attacker was able to influence the agent into retrieving information from private repositories and exposing it publicly.

The AI agent wasn’t compromised. It simply followed instructions from someone it had no reason to trust because nothing distinguished trusted organizational instructions from attacker-controlled input.

As Noma Security researcher Sasi Levi put it: “The agent’s context window is also its attack surface.”

Any content an AI agent consumes, including issues, pull requests, comments, documents, and files, can become an attack vector if the agent treats that content as instructions. That’s an access problem, not a GitHub problem.

Why This Isn’t a One-Off

It would be easy to dismiss GitLost as a GitHub-specific issue that’s already been patched.

That would miss the point. Both Noma Security and independent researchers described GitLost as an example of a much broader architectural pattern.

Traditional automation follows predefined logic with clearly defined boundaries. AI agents operate differently. They blend system instructions with untrusted user input inside the same context window, making decisions in natural language while acting with legitimate credentials. As Jason Soroko, Senior Fellow at Sectigo, noted, attackers don’t necessarily need to exploit software vulnerabilities anymore. They simply need to provide instructions the agent interprets as legitimate.

Levi summarized the underlying issue even more directly: organizations are giving AI agents standing credentials while allowing them to process attacker-controlled content. Those two conditions, standing access and attacker-reachable input, are becoming increasingly common across AI workflows. GitHub Agentic Workflows happened to expose the problem first. It won’t be the last platform to do so.

Any AI agent with access to enterprise systems and the ability to consume external content inherits the same fundamental risk.

The Real Gap Is Authorization Visibility

Strip away the GitHub-specific details, and GitLost looks surprisingly familiar. An AI agent had access well beyond what its task required. That access wasn’t continuously monitored. No one could see how far those permissions extended across connected systems. And nothing stopped the agent from operating outside its intended scope.

This is where many organizations struggle today.

Most security teams can inventory AI agents and identify the permissions assigned during deployment. Far fewer can answer more important questions:

  • What systems can this agent actually reach?
  • How do its permissions propagate across SaaS applications, APIs, and downstream integrations?
  • Is the agent operating within policy right now?
  • If it isn’t, can anything stop it?

Those answers become increasingly difficult as AI agents span multiple platforms, identities, APIs, and data sources. The challenge isn’t understanding what permissions were granted. It’s understanding what those permissions actually enable.

Four Authorization Gaps GitLost Exposed

GitLost illustrates four authorization problems that organizations are increasingly facing as AI agents become part of everyday operations.

Excessive Access

The agent could access repositories that had nothing to do with the workflow it was performing. Permissions had expanded beyond what was actually necessary.

Invisible Access Paths

Most organizations can’t see how an agent’s access extends across connected SaaS applications, APIs, identities, and data sources. Without that visibility, it’s difficult to understand an agent’s true blast radius.

Weak Authorization Boundaries

Permission boundaries often exist on paper but aren’t consistently enforced across every connected system. That leaves room for agents, or attackers working through them, to operate outside intended policy.

No Runtime Enforcement

Even after the authorization boundary was crossed, nothing detected or prevented the agent from using its existing permissions in an unintended way.

Closing the Gap

Preventing incidents like GitLost isn’t simply a matter of writing better prompts or hoping future models become more resistant to prompt injection.

Organizations need to treat AI agent authorization the same way they’ve learned to treat every other form of enterprise access: continuously. That starts with understanding how agents actually interact across SaaS applications, APIs, identities, and data sources, not just the permissions they were assigned during deployment.

It also means continuously monitoring whether those agents are operating within policy, identifying authorization gaps before they’re exploited, and enforcing boundaries in real time when an agent attempts to reach resources outside its intended scope.

Wing helps organizations prevent authorization bypass by continuously validating what AI agents are allowed to access and do, not just what permissions they’ve been granted. By mapping identities, integrations, APIs, and downstream access paths, Wing provides complete visibility into an agent’s effective permissions across the environment. It continuously detects when an agent attempts to operate outside policy, access resources beyond its intended scope, or create an unauthorized access path, and can automatically enforce security controls before sensitive data is exposed or an attacker is able to leverage the agent’s privileges.