Azure Devops Zero-Click CI/CD Vulnerability

Published Wed, Jan 31st, 2024


Legit Security found a zero-click vulnerability in Azure Pipelines that allows an attacker to access secrets and internal information and perform actions in elevated permissions in the context of a pipeline workflow. This could allow attackers to move laterally in the organization and initiate supply chain attacks. When a pipeline is triggered by a "pipeline resource trigger," it shows in the platform as "Automatically Triggered For …" Instead of running in fork default permissions, preventing any access to secrets and sensitive actions, Azure Pipelines "confuses" the trigger for an internal build allowing access sensitive build secrets. Exploitability depends on a public GitHub repository that runs Azure pipelines on pull-request, with default Azure pipeline fork configurations to trigger pipeline run, and Pipeline-Triggers.

Affected Services

Azure DevOps Services, Azure Pipelines


None required if you are using Azure DevOps cloud services. Otherwise, make sure you're running a patched build.

Tracked CVEs



Disclosure Date
Tue, May 23rd, 2023
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Nadav Noy, Legit Security