What happened?
Background
This issue is related to HackerOne Report #3763942, titled:
GitHub Actions CI/CD Injection Leads To RCE — anthropics/beam
The report was submitted to Anthropic on May 27, 2026 and was subsequently resolved through their vulnerability disclosure process.
According to Anthropic's response:
"CVE assignment for the underlying workflow pattern in the upstream project would be the Apache Beam project's decision, made through their own security and advisory process."
As a result, we are requesting a review of the upstream Apache Beam implementation to determine whether the affected workflow pattern existed in Apache Beam and whether it qualifies for a security advisory and/or CVE assignment.
Researchers
Please let us know if any additional information, proof-of-concept details, workflow references, commit history, remediation details, or supporting documentation are required.
Issue Priority
Priority: 1 (data loss / total loss of function)
Issue Components
What happened?
Background
This issue is related to HackerOne Report #3763942, titled:
GitHub Actions CI/CD Injection Leads To RCE — anthropics/beam
The report was submitted to Anthropic on May 27, 2026 and was subsequently resolved through their vulnerability disclosure process.
According to Anthropic's response:
As a result, we are requesting a review of the upstream Apache Beam implementation to determine whether the affected workflow pattern existed in Apache Beam and whether it qualifies for a security advisory and/or CVE assignment.
Researchers
Rishi Arora
LinkedIn: linkedin.com/in/rishiharyana
Subham Chatterjee
LinkedIn: https://www.linkedin.com/in/subhchatterjee/
Please let us know if any additional information, proof-of-concept details, workflow references, commit history, remediation details, or supporting documentation are required.
Issue Priority
Priority: 1 (data loss / total loss of function)
Issue Components