|
Date: Tue, 14 Apr 2026 09:23:34 -0700 |
|
From: GitHub Security <no-reply@github.com> |
|
To: Louis Goddard <louisgoddard@gmail.com> |
|
Message-ID: <69de6a0681681_1717fa110878942@github-lowworker-4c41d26.va3-iad.github.net.mail> |
|
Subject: Action needed: Rotate webhook secrets in your GitHub account |
|
Mime-Version: 1.0 |
|
Content-Type: text/plain; charset=UTF-8 |
|
Content-Transfer-Encoding: quoted-printable |
|
X-Auto-Response-Suppress: All |
|
|
|
Hi ltrgoddard, |
|
|
|
We're writing to let you know that between September 2025 and January 2026,= |
|
webhook secrets for webhooks you are responsible for were inadvertently in= |
|
cluded in an HTTP header on webhook deliveries. This means that any system = |
|
receiving webhook payloads during this window could have logged the webhook= |
|
secret from the request headers. Webhook deliveries are encrypted in trans= |
|
it via TLS, so the header containing the secret was only accessible to the = |
|
receiving endpoint in a base64-encoded format. We have no evidence to sugge= |
|
st your secrets were intercepted. This issue was fixed on January 26, 2026.= |
|
Please read on for more information. |
|
|
|
User privacy and security are essential for maintaining trust, and we want = |
|
to remain as transparent as possible about events like these. GitHub itself= |
|
did not experience a compromise or data breach as a result of this event.= |
|
=20 |
|
|
|
* What happened? * |
|
|
|
On January 26, 2026, GitHub identified a bug in a new version of the webhoo= |
|
k delivery platform where webhook secrets were included in an `X-Github-Enc= |
|
oded-Secret` HTTP header sent with webhook payloads. This header was not in= |
|
tended to be part of the delivery and made the webhook secret available to = |
|
the receiving endpoint in a base64-encoded format. Webhook secrets are used= |
|
to verify that deliveries are genuinely from GitHub, and should only be kn= |
|
own to GitHub and the webhook owner. |
|
|
|
The bug was limited to only a subset of webhook deliveries that were featur= |
|
e flagged to use this new version of the webhooks platform. The bug was pre= |
|
sent between September 11, 2025, and December 10, 2025, and briefly on Janu= |
|
ary 5, 2026. The bug was fixed on January 26, 2026. |
|
|
|
* What information was involved? * |
|
|
|
The webhook secret for each affected webhook was included in HTTP request h= |
|
eaders during the window that the bug was present. The webhook payload cont= |
|
ent itself was delivered normally and was not additionally affected. No oth= |
|
er credentials or tokens were affected. Webhook deliveries are encrypted in= |
|
transit via TLS, so the header containing the secret was only accessible t= |
|
o the receiving endpoint. |
|
|
|
If the receiving system logged HTTP request headers, the webhook secret may= |
|
be present in those logs. The webhook secret is used to compute the `X-Hub= |
|
-Signature-256` HMAC signature on deliveries =E2=80=94 if compromised, an a= |
|
ttacker who knows the secret could forge webhook payloads to make them appe= |
|
ar to come from GitHub. |
|
|
|
* What GitHub is doing * |
|
|
|
GitHub deployed a fix on January 26, 2026 to remove the `X-Github-Encoded-S= |
|
ecret` header from webhook deliveries. We then began a thorough investigati= |
|
on to identify all affected webhooks and their responsible owners. |
|
|
|
We are notifying all users who own or administer webhooks that were affecte= |
|
d during the window that the bug was present so they can rotate their webho= |
|
ok secrets. |
|
|
|
* What you can do * |
|
|
|
1. Rotate your webhook secrets immediately. While we have no evidence your = |
|
secrets were intercepted, the affected secrets should still be treated as c= |
|
ompromised. At the end of this email is a list of your affected webhooks = |
|
=E2=80=94 generate a new random secret for each one: https://docs.github.co= |
|
m/en/webhooks/using-webhooks/editing-webhooks |
|
|
|
2. Review your receiving systems. If the system receiving webhook deliverie= |
|
s logged HTTP request headers, purge those logs to limit further access to = |
|
the included secrets. |
|
|
|
3. Verify webhook signatures. After rotating the secret, confirm your recei= |
|
ving endpoint validates the `X-Hub-Signature-256` header using the new secr= |
|
et: https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-d= |
|
eliveries |
|
|
|
Note: if the webhook (or resource that owned the webhook such as a reposito= |
|
ry) has already been deleted, you can disregard that webhook in the list of= |
|
affected webhooks and do not need to take any action for it. |
|
|
|
Please feel free to reach out to GitHub Support with any additional questio= |
|
ns or concerns through the following contact form: |
|
|
|
[REDACTED] |
|
|
|
Thanks, |
|
GitHub Security |
|
<Reference # [REDACTED]> |