Flaw in Claude Code GitHub Action Uncovered, Posing Repository Takeover Risk
A security vulnerability has been discovered in Anthropic’s Claude Code GitHub Action, allowing attackers to potentially hijack vulnerable public repositories. The flaw, reported by security researcher RyotaK of GMO Flatt Security, could enable a malicious actor to execute arbitrary code with minimal effort. This discovery highlights ongoing concerns regarding AI security and the potential for sophisticated prompt injection attacks in CI/CD pipelines.
Anthropic has since patched the vulnerability, rated 7.8 under CVSS v4.0, and rewarded the researcher with a bug bounty. The fix is available in claude-code-action v1.0.94. The core of the issue lay in how the action authenticated users, creating an exploitable loophole for unauthorized access and code manipulation.
Understanding the Claude Code GitHub Action Vulnerability
Claude Code GitHub Actions are designed to integrate Anthropic’s Claude AI into continuous integration and continuous deployment (CI/CD) pipelines. These actions can automate tasks such as triaging issues, applying labels, reviewing pull requests, and executing slash commands. By default, the workflow is granted broad read and write permissions across a repository’s code, issues, pull requests, discussions, and workflow files. Consequently, the action implements checks to ensure only authorized users, specifically those with write access, can trigger its operations.
However, the security researcher identified a critical oversight in this authorization mechanism. The workflow incorrectly trusted any actor whose username concluded with “[bot]”. This assumption was based on the belief that GitHub Apps are inherently secure, as they are typically installed by repository administrators. The flaw exploited this trust, as any individual could register a GitHub App, install it on a repository they control, and then use its associated token to open an issue or pull request on any public repository. The Claude Code action, misinterpreting the “[bot]” suffix, would then erroneously grant access to the attacker’s submitted content. This exploit was particularly effective in “agent mode,” which lacked an additional verification step present in “tag mode” that confirms the actor is a human user.
Leveraging Indirect Prompt Injection for Malicious Gains
Once the attacker successfully bypassed the initial authentication, the next step involved exploiting indirect prompt injection. This attack technique involves embedding malicious instructions within content that an AI model will process. In this scenario, the attacker crafted an issue that, on the surface, appeared to be a standard error message. Through careful refinement of the prompt, the attacker enticed Claude to “recover” from the perceived error by executing hidden commands.
The ultimate target was the /proc/self/environ file, a Linux system file containing a process’s environment variables, including sensitive secrets. While Claude Code has safeguards to prevent direct access to this file, RyotaK successfully circumvented these defenses. The researcher managed to coax Claude into writing the environment variable values back into the issue itself, making them accessible to the attacker.
The most critical component within these environment variables was the credential pair used by GitHub Actions to request an OpenID Connect (OIDC) token. This token serves as proof of identity for workflows running within specific repositories. Claude Code then exchanges this OIDC token with Anthropic’s backend infrastructure to obtain a Claude GitHub App installation token, granting write access to the target repository. By stealing these credentials, an attacker could replay the exchange and gain full write access to a repository’s code, issues, and workflows. Critically, if this attack were targeted at the claude-code-action repository itself, it could lead to the poisoning of the action, affecting all downstream projects that incorporate it.
Additional Vulnerabilities and Attack Vectors
RyotaK also highlighted a less sophisticated, yet equally concerning, attack vector that bypassed the “[bot]” authentication entirely. Anthropic’s own example issue-triage workflow included a configuration setting allowed_non_write_users: "*". This setting permits anyone to trigger the workflow, a configuration that Anthropic’s documentation already flags as potentially risky. Furthermore, Claude was designed to post task summaries to the workflow run’s publicly visible summary panel, inadvertently creating a channel for data exfiltration. Many repositories had adopted this example workflow, inheriting this inherent security weakness.
An additional attack path was identified for an attacker who possesses the ability to edit issues but cannot directly trigger Claude. Such an attacker could modify an issue submitted by a trusted user after the workflow has been initiated but before Claude processes it. The malicious payload, delivered through this edited issue, would then be treated as trusted input.
Mitigation and Future Implications for AI Security
To address these vulnerabilities, users are strongly advised to update to claude-code-action v1.0.94 or a later version. Furthermore, a thorough audit of any workflow that allows users without write access, or bots, to trigger Claude is imperative. If these workflows are designed to process untrusted input, developers should restrict the secrets they provide, beyond the Anthropic API key and GITHUB_TOKEN, and remove any tools or permissions that could be leveraged for data exfiltration.
These findings are not merely theoretical. Similar attack chains involving AI issue triagers, broad permissions, and prompt injection have already resulted in real-world supply chain compromises. In February, a prompt-injected issue title targeting Cline’s claude-code-action triage workflow led to the theft of an npm publish token, allowing attackers to push an unauthorized version of the cline package. While that specific rogue version was not malicious, the potential for delivering actual malware was significant. The autonomous “HackerBot-