Claude Code GitHub Action Flaw Risks Repository Hijacking with Single Malicious Issue
A significant vulnerability has been uncovered in Anthropic’s Claude Code GitHub Action, allowing attackers to potentially hijack public repositories that utilize this tool. This flaw can be exploited with minimal effort, requiring only a single malicious GitHub issue to initiate the attack. Given that Anthropic’s own repository employs the same workflow, the implications of this vulnerability extend to the integrity of downstream projects that rely on it.
Discovery and Response
The flaw was reported by RyotaK from GMO Flatt Security in January 2026. Within four days, Anthropic addressed the core bypass, implementing fixes that were included in the release of claude-code-action v1.0.94. The company assessed the vulnerability with a CVSS v4.0 score of 7.8 and subsequently issued a bug bounty for the discovery.
The Claude Code GitHub Action integrates Claude into Continuous Integration/Continuous Deployment (CI/CD) pipelines, enabling it to manage issues, apply labels, review pull requests, and execute slash commands. By default, this workflow grants extensive read and write access to a repository’s code, issues, pull requests, discussions, and workflow files. Given the broad permissions associated with this action, it was designed to restrict triggering to users with write access only.
Exploitation Mechanism
However, a flaw in the trigger check allowed any actor whose name ended with “[bot]” to bypass this restriction. This assumption was based on the premise that GitHub Apps are inherently trustworthy. Unfortunately, anyone can create a GitHub App, install it on their own repository, and use its token to open issues or pull requests on any public repository. Consequently, the action mistakenly identified the attacker as a legitimate bot, permitting their content to pass through.
The exploitation process involved indirect prompt injection, a technique where instructions are embedded within content that an AI processes. RyotaK crafted an issue that mimicked an error message and refined the prompt until Claude executed the commands hidden within it. The target of this manipulation was the Linux file /proc/self/environ, which contains a process’s environment variables, including sensitive information. Although Claude Code is designed to block naive reads, RyotaK successfully circumvented this safeguard, enabling Claude to disclose the values back into the issue, where they could be captured by the attacker.
Implications of the Vulnerability
The most critical information obtained from these environment variables is the credential pair used by GitHub Actions to request an OpenID Connect (OIDC) token. This signed token verifies the identity of the workflow running within a specific repository. Claude Code exchanges this token with Anthropic’s backend for a Claude GitHub App installation token, which possesses write access. If an attacker successfully acquires these credentials, they can replay the exchange to gain write access to the target’s code, issues, and workflows. By directing this access toward the claude-code-action repository itself, an attacker could poison the action that downstream projects utilize.
RyotaK also identified an alternative exploitation route that bypassed the bot trick entirely. Anthropic’s example issue-triage workflow included a setting that allowed non-write users to trigger it, a configuration already flagged as risky in Anthropic’s documentation. Furthermore, Claude was posting task summaries to the publicly visible summary panel of the workflow run, creating an additional avenue for data leakage. Many repositories that adopted this example inherited this vulnerability.
There exists another potential pathway for attackers who can edit issues but lack the ability to trigger Claude independently. By modifying a trusted user’s issue after the workflow has been initiated but before Claude processes it, the payload can be introduced as “trusted” input.
Recommended Actions
To mitigate these risks, it is imperative for users to update to claude-code-action v1.0.94 or later. Additionally, an audit of any workflows that permit users without write access, or bots, to trigger Claude is essential. If these workflows are handling untrusted input, it is crucial to limit the exposure of sensitive information to only the Anthropic API key and GITHUB_TOKEN, while also removing tools and permissions that could facilitate data exfiltration.
Real-World Consequences
The implications of this vulnerability are not merely theoretical. A similar configuration involving an AI issue triager, broad permissions, and prompt injection has already resulted in a real supply-chain attack. In February, a prompt-injected issue title against Cline’s claude-code-action triage workflow enabled attackers to steal an npm publish token, leading to the unauthorized release of version 2.3.0 of the Cline CLI. Although this rogue version only installed a separate, non-malicious AI agent and was retracted within eight hours, the same exploit could have easily distributed malicious software to users.
Additionally, the autonomous “HackerBot-Claw” bot conducted probing activities in late February, targeting GitHub Actions misconfigurations across various organizations, including Microsoft and Datadog. Although it attempted to prompt-inject a Claude-based reviewer through a compromised configuration file, Claude successfully identified and rejected the attempt.
While there is currently no evidence that this specific exploitation path has been used against a live target, RyotaK confirmed that he demonstrated the vulnerability in his own test repositories. He has reported approximately 50 distinct methods to bypass Claude Code’s permission system and execute commands, highlighting a persistent trend of prompt-injection vulnerabilities in AI coding agents.
Prompt injection remains an unresolved issue, and agents equipped with genuine tools and tokens can be exploited to the extent of their permissions.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
