Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories
Source: The Hacker News
Swati Khandelwal
June 4 2026 – Vulnerability / AI Security
A security researcher discovered a flaw in Anthropic’s Claude Code GitHub Action that allowed an attacker to take over vulnerable public repositories with just a single opened GitHub issue. Because Anthropic’s own action repository used the same workflow, a working exploit could have pushed malicious code into the action itself and into downstream projects that pull it.
- Ryota K of GMO Flatt Security reported the core bypass to Anthropic in January.
- Anthropic fixed the issue within four days (commit 1bbc9e7) and added further hardening later in the spring. The fixes are included in claude-code-action v1.0.94.
- Anthropic rated the vulnerability 7.8 under CVSS v4.0 and paid a bug bounty.
Claude Code GitHub Actions drop Claude into CI/CD pipelines to triage issues, apply labels, review pull requests, or run slash commands. By default the workflow receives read‑and‑write access to a repository’s code, issues, pull requests, discussions, and workflow files. Because these permissions are broad, the action is supposed to be selective about who can trigger it: only users with write access.
How the trigger check was bypassed
The trigger check allowed any actor whose name ended in [bot], assuming that GitHub Apps are trusted. However, anyone can:
- Register a GitHub App.
- Install it on a repository they own.
- Use its token to open an issue or pull request on any public repository.
The action saw “a bot” and let the attacker’s content through.
- Tag mode performed an extra check to confirm the actor was a real human.
- Agent mode lacked this check, leaving it open.
Indirect prompt injection
The attacker leveraged indirect prompt injection—planting instructions inside content that the AI reads so the model follows them instead of its intended task.
- Ryota K created an issue whose body looked like an error message.
- By refining the prompt, Claude was coaxed into “recovering” and executing hidden commands.
- The target was
/proc/self/environ, the Linux file that holds a process’s environment variables (including secrets). - Although Claude Code blocks naïve reads, Ryota K bypassed the guard and forced Claude to write the values back into the issue, where the attacker could retrieve them.
The real prize: OIDC credentials
The environment variables contain the credential pair GitHub Actions uses to request an OIDC token—a signed token proving “I’m this workflow running in this repo.” Claude Code trades that token with Anthropic’s backend for a Claude GitHub App installation token with write access.
- Steal those credentials, replay the exchange, and you gain write access to the target’s code, issues, and workflows.
- If the attack is aimed at the
claude-code-actionrepository itself, the attacker could poison the action that downstream projects pull.
Additional weaknesses
- Allowed non‑write users – Anthropic’s example issue‑triage workflow shipped with
allowed_non_write_users: "*"which lets anyone trigger it. Anthropic’s own docs already flag this as risky. - Public summary leakage – Claude posted task summaries to the workflow run’s publicly visible summary panel, providing a ready‑made data‑exfiltration channel. Many repositories copied this example and inherited the hole.
- Edit‑after‑trigger attack – An attacker who can edit issues (but not trigger Claude) could modify a trusted user’s issue after the workflow has started but before Claude reads it, injecting malicious payload as “trusted” input.
Mitigations
- Upgrade to
claude-code-actionv1.0.94 or later. - Audit any workflow that allows users without write access—or bots—to trigger Claude.
- If the workflow consumes untrusted input, ensure it only receives the Anthropic API key and
GITHUB_TOKEN; remove any additional tools or permissions that could be abused for exfiltration. - Remove or restrict
allowed_non_write_userssettings. - Avoid publishing sensitive data to the workflow run summary panel.
Real‑world impact
The issue is not theoretical. The same combination—an AI issue‑triager, broad permissions, and prompt injection—already caused a supply‑chain compromise:
- February 2024 – A prompt‑injected issue title against Cline’s
claude-code-actiontriage workflow allowed attackers to steal an npm publish token.
Prepared by Swati Khandelwal, June 4 2026
Cleaned Markdown Content
The rogue version of cline@2.3.0 was pushed and forced‑installed a separate, non‑malicious AI agent. It was pulled about eight hours later, but the same supply‑chain could have shipped real malware to everyone who updated.
- The autonomous “HackerBot‑Claw” bot then spent late February probing GitHub Actions misconfigurations at Microsoft, Datadog, CNCF projects, and others. When it tried to prompt‑inject a Claude‑based reviewer through a poisoned config file, Claude caught it and refused.
There is no public sign that this exact path—poisoning Anthropic’s own action—has been used against a live target. RyotaK demonstrated it only in his own test repositories and separates it from the variants that were actually exploited.
RyotaK reports that he has now disclosed around 50 separate ways to bypass Claude Code’s permission system and run commands, contributing to a steady stream of prompt‑injection flaws in AI coding agents. Prompt injection remains unsolved, and an agent equipped with real tools and tokens can be pushed as far as its permissions allow.
Stay Informed
Found this article interesting? Follow us for more exclusive content: