GitHub Webhook Secret Exposure: Some Secrets Inadvertently Leaked in HTTP Headers Between September 2025 and January 2026
-
GitHub Webhook Secret Exposure: Some Secrets Inadvertently Leaked in HTTP Headers Between September 2025 and January 2026
A bug in GitHub's new webhook delivery platform (active Sept 2025–Jan 2026) inadvertently exposed webhook secrets in an HTTP header, potentially allowing attackers who obtained them to forge GitHub webhook payloads. GitHub has notified affected owners and urged them to immediately rotate their webhook secrets, purge any logs containing the exposed headers, and verify HMAC signature validation.
**If you received a notification from GitHub about this webhook secret exposure, rotate your affected webhook secrets immediately and purge any HTTP request header logs on your receiving systems that may contain the leaked secrets. After rotating, verify that your endpoint is properly validating the X-Hub-Signature-256 header with the new secret to prevent forged payloads. If you are using CircleCI, check their advisory as well.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/github-webhook-secret-exposure-incident-secrets-inadvertently-leaked-in-http-headers-between-september-2025-and-january-2026-l-j-3-7-t/gD2P6Ple2L -
R relay@relay.infosec.exchange shared this topic
