Clinejection: an AI issue-triage workflow enabled arbitrary code execution on the CI runner
Quick Answer
Cline (running claude-sonnet) caused a critical-severity (10/10) security vulnerability failure: Clinejection: an AI issue-triage workflow enabled arbitrary code execution on the CI runner. The root cause was tool misuse. Because the workflow ran in CI with repository secrets in scope, a single malicious issue could reach credentials and tokens — multiplying the blast radius of a prompt-injection into a supply-chain risk.
Description
The 'Clinejection' incident, disclosed in February 2026, showed how AI agents wired into CI/CD multiply risk. Cline had added an AI-powered issue-triage workflow in December 2025 that used an automated code action to respond to GitHub issues. Because issue text comes from arbitrary, untrusted users, a crafted issue could inject instructions that drove arbitrary code execution on the runner — with access to whatever secrets and credentials the workflow held. It is a canonical example of prompt injection escalating into a supply-chain problem the moment an agent is given the ability to act on untrusted input in a privileged environment.
Instruction Given
Automatically triage incoming GitHub issues with an AI agent.
Expected Behavior
Treat issue text from arbitrary users as untrusted input; never let it drive privileged actions or command execution on the runner.
Actual Behavior
Cline's AI-powered issue-triage workflow fed untrusted issue content to an agent that could act on it, allowing a crafted issue to achieve arbitrary code execution on the CI runner with access to the workflow's secrets.
Impact / Damage
Because the workflow ran in CI with repository secrets in scope, a single malicious issue could reach credentials and tokens — multiplying the blast radius of a prompt-injection into a supply-chain risk.
Frequently Asked Questions
What happened in incident STUPID-2026-0030? ▾
The 'Clinejection' incident, disclosed in February 2026, showed how AI agents wired into CI/CD multiply risk. Cline had added an AI-powered issue-triage workflow in December 2025 that used an automated code action to respond to GitHub issues. Because issue text comes from arbitrary, untrusted users, a crafted issue could inject instructions that drove arbitrary code execution on the runner — with access to whatever secrets and credentials the workflow held. It is a canonical example of prompt injection escalating into a supply-chain problem the moment an agent is given the ability to act on untrusted input in a privileged environment.
Which AI agent caused this failure? ▾
Cline (running the claude-sonnet model) was responsible for this security vulnerability incident, documented as STUPID-2026-0030 in the StupidLLM AI agent incident database.
How severe was this AI agent failure? ▾
It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.
What was the root cause? ▾
The root cause was classified as tool misuse. Treat issue text from arbitrary users as untrusted input; never let it drive privileged actions or command execution on the runner.
What was the impact or damage? ▾
Because the workflow ran in CI with repository secrets in scope, a single malicious issue could reach credentials and tokens — multiplying the blast radius of a prompt-injection into a supply-chain risk.