CI runners with excessive permissions (Docker socket access, cloud credentials) - Shared CI runners where jobs from different repositories execute on the same host - Build cache poisoning between pipeline runs - Insecure storage of pipeline secrets