GitHub Notifies Users of Webhook Secret Exposure Bug; Urges Secret Rotation

Summary

GitHub disclosed a security incident affecting webhook users, revealing that webhook secrets were inadvertently exposed in HTTP headers during webhook deliveries between September 2025 and January 2026. The bug, which affected a subset of webhook deliveries using a new platform version, allowed receiving endpoints to access webhook secrets in base64-encoded format through the X-Github-Encoded-Secret HTTP header. While GitHub states there is no evidence of actual secret interception and that the bug was fixed on January 26, 2026, the company has notified affected users to rotate their webhook secrets as a precautionary measure.

The exposure poses a potential security risk because webhook secrets are used to verify the authenticity of deliveries and compute HMAC signatures. If compromised, an attacker could forge webhook payloads to appear as if they originated from GitHub. GitHub emphasized that the webhook payload content itself was not additionally affected, no other credentials or tokens were compromised, and GitHub itself did not experience a breach. The company framed the disclosure as part of its commitment to user privacy and transparency.

• While TLS encryption protected secrets in transit and GitHub has no evidence of actual interception, affected systems that logged HTTP headers may contain webhook secrets in their logs

Editorial Opinion

This incident underscores the importance of secure credential handling in platform infrastructure, particularly when introducing new versions of critical systems like webhook delivery. GitHub's transparent communication and no-evidence-of-compromise assessment are commendable, but the proactive approach of notifying users to rotate secrets—even without confirmed compromise—demonstrates appropriate security hygiene. Organizations should use this as a reminder to audit their webhook implementations and review access logs from the affected period for potential exposure.