SC-GHA-OIDC-MISCONFIG-2021
CI/CD · GitHub Actions · GitHub Actions to cloud OIDC trust misconfiguration
Summary
This class covers overly permissive cloud IAM trust policies that federate with GitHub's OIDC provider (token.actions.githubusercontent.com) but fail to constrain which workload may assume the role. The cloud role validates the OIDC token but checks only the audience claim (for example sts.amazonaws.com) while omitting the token.actions.githubusercontent.com:sub condition, or it uses a broad wildcard such as repo:org/* or a StringLike pattern instead of StringEquals, so any branch, any fork, or even an attacker-owned repository can mint a valid GitHub OIDC token and exchange it for cloud credentials. Because the sub claim encodes repository, branch, tag, and environment, dropping or loosening it removes the only binding between the role and the intended pipeline, yielding full assumption of the trusted role. Tinder Security Labs documented this in their AWS OIDC research, finding multiple real AWS roles assumable from unauthorized repositories due to missing subject validation, with the successful assumptions visible in CloudTrail. GitHub's OIDC support and the configure-aws-credentials path shipped in 2021, making this a long-standing systemic configuration risk.
How to avoid it in your code
- Always pin the token.actions.githubusercontent.com:sub claim to repo, branch/tag, and environment with StringEquals, not StringLike.
- Validate both the aud and sub claims; never trust an audience-only condition.
- Scope each role to a single repository and protected environment; avoid org-wide repo:org/* wildcards.
- Grant the assumed role least-privilege permissions and short session durations.
- Audit cloud logs for AssumeRoleWithWebIdentity calls and alert on unexpected repo/org subjects.
References
- https://medium.com/tinder/identifying-vulnerabilities-in-github-actions-aws-oidc-configurations-8067c400d5b8
- https://www.wiz.io/blog/avoiding-mistakes-with-aws-oidc-integration-conditions
- https://docs.github.com/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
Related vulnerabilities
All Supply chain →- CRITICALGHSA-8FQ9-273G-6MRG
Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation
- MEDIUMGHSA-GWXR-7H77-7777
Capsule: Incomplete fix of CVE-2026-30963: singular/plural typo leaves namespaces/finalize unprotected
- HIGHGHSA-WRR5-99H5-GQ57
Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes
- HIGHGHSA-FHX7-M96W-MV29
Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration
- MEDIUMGHSA-QWXF-2M7M-2M3X
Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join
- MEDIUMGHSA-8788-J68R-3CGH
Open WebUI: Any authenticated user can read other users' private notes via Socket.IO