Note: CircleCI has not been compromised. Our goal with this notice is to help you keep your pipelines running while following GitHub’s recommended security guidance.
What happened
On April 14, 2026, GitHub began notifying affected webhook owners directly via email that between September 11, 2025 and January 26, 2026, webhook secrets for some repository webhooks were inadvertently included in an HTTP request header on webhook deliveries. The secret was only accessible to the receiving endpoint and GitHub has no evidence that any secrets were intercepted. GitHub fixed the bug on January 26, 2026.
If you received that email, we’re following up because the steps GitHub recommends will break your CircleCI pipeline connection. We want to make sure you can rotate your secret safely without any interruption to your builds.
Do you need to act?
You may be affected if you are using a GitHub OAuth project integration with a webhook that was active between September 11, 2025 and January 26, 2026. GitHub App integrations are not affected. Not sure which integration type you use? Check this support article.
What we recommend
Follow CircleCI’s rotation instructions below. This rotates your webhook secret and keeps your pipelines running with no additional steps needed.
Full steps are in our support article: Rotating the GitHub webhook secret for CircleCI GitHub OAuth project triggers.
In summary:
- In the CircleCI web app, go to Project Settings, then Project Setup for the affected project
- Locate the GitHub OAuth trigger. Before deleting it, note the event names, event sources, and any filters so you can recreate your exact configuration
- Delete the existing OAuth trigger. This invalidates the old webhook and secret on GitHub’s side
- Recreate the trigger. CircleCI registers a new webhook with GitHub using a fresh secret
- Confirm the new hook ID appears in GitHub under Repository Settings, then Webhooks
- Push a commit to verify your pipelines are triggering correctly
A note on other paths
If you have already followed GitHub’s rotation instructions, your secret is now secure but your CircleCI pipelines will have stopped triggering. Follow the steps above to recreate your trigger and restore your pipeline connection.
If you have not yet taken any action, your pipelines will continue to run as normal. We still recommend following the steps above as a security best practice given the potential exposure of your webhook secret.
Additional context
- Only the webhook secret was exposed. Payload content was not affected
- No other credentials or tokens were affected
- GitHub App integrations are not affected
Questions? Contact your Technical Success Manager or visit support.circleci.com.