On the 14th April 2026 GitHub notified users that webhook secrets may have been leaked due to a bug in the platform.
The bug was noted by GitHub to be present between September 11th 2025 and December 10th 2025 (and then again on January 5th 2026), with the fix being implemented on January 26th 2026 – though affected users were only notified nearly three months later.
This was apparently due to a bug in webhook deliveries, where a new feature-toggled version of their webhook platform caused the X-Github-Encoded-Secret header to be sent along with the secret encoded in Base64.
Anyone affected by this should rotate their webhook secrets in GitHub and update any recipient systems configured to validate webhook signatures. Most users are likely fine, but rotate these secrets as a precaution, particularly if your receiving endpoint is a third party service.
The practical impact of this bug is minimal for most users. Webhook secrets are known to both GitHub and the webhook owner, meaning in most cases the secret was only ever exposed to the endpoint that already had legitimate access to it.
The primary risk applies to users who directed webhooks to third party services, or whose receiving systems have logged HTTP headers with broader access than intended. In those cases, an attacker with access to those logs could potentially forge webhook payloads to impersonate GitHub.
We use GitHub webhooks as part of our GitHub integration within the Attack Surface Center. We have rotated our webhook secrets as a precaution. The webhook secret is used to verify payload authenticity, and no payload content or customer data was affected by this bug.
The email from GitHub read as follows:
We’re writing to let you know that between September 2025 and January 2026, webhook secrets for webhooks you are responsible for were inadvertently included in an HTTP header on webhook deliveries. This means that any system receiving webhook payloads during this window could have logged the webhook secret from the request headers. Webhook deliveries are encrypted in transit via TLS, so the header containing the secret was only accessible to the receiving endpoint in a base64-encoded format. We have no evidence to suggest your secrets were intercepted. This issue was fixed on January 26, 2026. Please read on for more information.
User privacy and security are essential for maintaining trust, and we want to remain as transparent as possible about events like these. GitHub itself did not experience a compromise or data breach as a result of this event.
What happened?
On January 26, 2026, GitHub identified a bug in a new version of the webhook delivery platform where webhook secrets were included in an `X-Github-Encoded-Secret` HTTP header sent with webhook payloads. This header was not intended to be part of the delivery and made the webhook secret available to the receiving endpoint in a base64-encoded format. Webhook secrets are used to verify that deliveries are genuinely from GitHub, and should only be known to GitHub and the webhook owner.
The bug was limited to only a subset of webhook deliveries that were feature flagged to use this new version of the webhooks platform. The bug was present between September 11, 2025, and December 10, 2025, and briefly on January 5, 2026. The bug was fixed on January 26, 2026.
What information was involved?
The webhook secret for each affected webhook was included in HTTP request headers during the window that the bug was present. The webhook payload content itself was delivered normally and was not additionally affected. No other credentials or tokens were affected. Webhook deliveries are encrypted in transit via TLS, so the header containing the secret was only accessible to the receiving endpoint.
If the receiving system logged HTTP request headers, the webhook secret may be present in those logs. The webhook secret is used to compute the `X-Hub-Signature-256` HMAC signature on deliveries — if compromised, an attacker who knows the secret could forge webhook payloads to make them appear to come from GitHub.
What GitHub is doing
GitHub deployed a fix on January 26, 2026 to remove the `X-Github-Encoded-Secret` header from webhook deliveries. We then began a thorough investigation to identify all affected webhooks and their responsible owners.
We are notifying all users who own or administer webhooks that were affected during the window that the bug was present so they can rotate their webhook secrets.
What you can do
1. Rotate your webhook secrets immediately. While we have no evidence your secrets were intercepted, the affected secrets should still be treated as compromised. At the end of this email is a list of your affected webhooks — generate a new random secret for each one: https://docs.github.com/en/webhooks/using-webhooks/editing-webhooks
2. Review your receiving systems. If the system receiving webhook deliveries logged HTTP request headers, purge those logs to limit further access to the included secrets.
3. Verify webhook signatures. After rotating the secret, confirm your receiving endpoint validates the `X-Hub-Signature-256` header using the new secret: https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries
Note: if the webhook (or resource that owned the webhook such as a repository) has already been deleted, you can disregard that webhook in the list of affected webhooks and do not need to take any action for it.