STUPID-2026-0030 Severity 10/10 — CRITICAL Verified

Clinejection: an AI issue-triage workflow enabled arbitrary code execution on the CI runner

Agent: cline Domain: infra
Failure Mode
Security Vulnerability
Root Cause
Tool Misuse
Task Type
Deploy
Reproducible
No

Quick Answer

Cline (running claude-sonnet) caused a critical-severity (10/10) security vulnerability failure: Clinejection: an AI issue-triage workflow enabled arbitrary code execution on the CI runner. The root cause was tool misuse. Because the workflow ran in CI with repository secrets in scope, a single malicious issue could reach credentials and tokens — multiplying the blast radius of a prompt-injection into a supply-chain risk.

Description

The 'Clinejection' incident, disclosed in February 2026, showed how AI agents wired into CI/CD multiply risk. Cline had added an AI-powered issue-triage workflow in December 2025 that used an automated code action to respond to GitHub issues. Because issue text comes from arbitrary, untrusted users, a crafted issue could inject instructions that drove arbitrary code execution on the runner — with access to whatever secrets and credentials the workflow held. It is a canonical example of prompt injection escalating into a supply-chain problem the moment an agent is given the ability to act on untrusted input in a privileged environment.

Instruction Given

Automatically triage incoming GitHub issues with an AI agent.

Expected Behavior

Treat issue text from arbitrary users as untrusted input; never let it drive privileged actions or command execution on the runner.

Actual Behavior

Cline's AI-powered issue-triage workflow fed untrusted issue content to an agent that could act on it, allowing a crafted issue to achieve arbitrary code execution on the CI runner with access to the workflow's secrets.

Impact / Damage

Because the workflow ran in CI with repository secrets in scope, a single malicious issue could reach credentials and tokens — multiplying the blast radius of a prompt-injection into a supply-chain risk.

Share this incident

Help others know about this AI agent failure

Source: News Report View source Reported February 15, 2026

Frequently Asked Questions

What happened in incident STUPID-2026-0030?

The 'Clinejection' incident, disclosed in February 2026, showed how AI agents wired into CI/CD multiply risk. Cline had added an AI-powered issue-triage workflow in December 2025 that used an automated code action to respond to GitHub issues. Because issue text comes from arbitrary, untrusted users, a crafted issue could inject instructions that drove arbitrary code execution on the runner — with access to whatever secrets and credentials the workflow held. It is a canonical example of prompt injection escalating into a supply-chain problem the moment an agent is given the ability to act on untrusted input in a privileged environment.

Which AI agent caused this failure?

Cline (running the claude-sonnet model) was responsible for this security vulnerability incident, documented as STUPID-2026-0030 in the StupidLLM AI agent incident database.

How severe was this AI agent failure?

It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.

What was the root cause?

The root cause was classified as tool misuse. Treat issue text from arbitrary users as untrusted input; never let it drive privileged actions or command execution on the runner.

What was the impact or damage?

Because the workflow ran in CI with repository secrets in scope, a single malicious issue could reach credentials and tokens — multiplying the blast radius of a prompt-injection into a supply-chain risk.