Anthropic has fixed a critical security flaw in its Claude Code GitHub Action that could have allowed attackers to take over vulnerable public repositories using nothing more than a single GitHub issue.
The vulnerability, discovered by RyotaK of GMO Flatt Security, exposed a dangerous combination of excessive GitHub Action permissions, weak trigger validation, and indirect prompt injection. In the worst-case scenario, attackers could have compromised Anthropic's own GitHub Action repository and distributed malicious code downstream to projects using the action.
How the Vulnerability Worked
Claude Code GitHub Actions enables Anthropic's AI assistant to interact directly with GitHub repositories, helping teams:
- Triage issues
- Review pull requests
- Apply labels
- Execute slash commands
- Automate development workflows
Because the action operates with extensive repository permissions, it is designed to restrict execution to trusted users with write access.
However, researchers found a bypass in the permission validation logic.
The workflow incorrectly trusted any GitHub actor whose username ended with "[bot]", assuming the account belonged to a legitimate GitHub App. Since anyone can create and operate a GitHub App, attackers could generate their own bot account and interact with public repositories.
As a result, Claude Code would treat attacker-controlled content as trusted input.
Prompt Injection Leads to Secret Theft
After bypassing the trigger validation, the attack relied on indirect prompt injection.
The researcher crafted a GitHub issue that appeared to contain an error message. When Claude processed the issue, the embedded instructions manipulated the AI into executing unintended actions.
The attack ultimately targeted:
/proc/self/environ
This Linux file contains environment variables, including sensitive credentials used during workflow execution.
Although Claude Code includes protections against direct access to sensitive files, the researcher demonstrated methods to bypass these safeguards and force Claude to expose secrets back into the GitHub issue itself.
Escalation to Repository Takeover
The exposed environment variables contained credentials used by GitHub Actions to obtain OIDC (OpenID Connect) tokens.
These tokens are exchanged with Anthropic's backend service to generate a Claude GitHub App installation token with write permissions.
An attacker who obtained these credentials could:
- Modify repository source code
- Create or alter workflows
- Access issues and pull requests
- Push malicious commits
- Potentially compromise downstream projects
Had the attack been executed against Anthropic's own action repository, it could have enabled a large-scale software supply chain compromise.
Additional Security Weaknesses
Unsafe Example Workflow
Anthropic's example issue-triage workflow included:
allowed_non_write_users: "*"
This configuration allowed any GitHub user to trigger the workflow.
Although Anthropic documented the setting as risky, many repositories copied the example configuration directly, unintentionally exposing themselves.
Public Workflow Summaries
Claude also posted task summaries to publicly visible GitHub workflow summaries, creating another potential avenue for sensitive information leakage.
Trusted-Issue Modification Attack
Researchers discovered another attack path where an adversary could:
- Wait for a trusted user to trigger Claude.
- Modify the issue content before Claude processed it.
- Inject malicious instructions into what Claude believed was trusted input.
Real-World Supply Chain Impact
The risks are not theoretical.
Earlier this year, attackers exploited a similar prompt-injection vulnerability in Cline's Claude-based GitHub Action workflow.
The attack allowed threat actors to:
- Steal an npm publishing token
- Publish an unauthorized version of
[email protected] - Distribute a rogue package to users
While the malicious release was removed within hours, security researchers noted that the same technique could easily have been used to distribute malware at scale.
Researchers also observed the autonomous HackerBot-Claw system actively probing GitHub Actions workflows across major organizations, including Microsoft, Datadog, and CNCF projects.
Mitigation and Recommendations
Anthropic addressed the vulnerabilities rapidly after disclosure.
Fixed Version: claude-code-action v1.0.94
Security teams should:
- Update immediately to v1.0.94 or later
- Audit all Claude Code workflows
- Restrict execution to trusted users only
- Avoid exposing sensitive secrets to AI workflows
- Minimize GitHub Action permissions
- Remove unnecessary tools capable of exfiltrating data
- Monitor repositories for prompt injection attempts
Why This Matters
This incident highlights a growing challenge in AI-powered development environments.
Prompt injection remains one of the most difficult security problems facing AI agents. When AI systems are granted access to repositories, credentials, APIs, and automation tools, a successful prompt injection can quickly escalate into a full repository compromise.
As AI coding assistants become increasingly integrated into CI/CD pipelines, organizations must treat them with the same security scrutiny applied to privileged service accounts and automation infrastructure.
Conclusion
The Claude Code GitHub Action vulnerability demonstrates how AI agents can become high-value targets when granted broad repository permissions. While Anthropic has patched the issue, the incident serves as another reminder that prompt injection remains a critical risk for AI-driven automation and software supply chains.
