## Critical Flaw in Claude Code GitHub Action Uncovered  A security researcher has identified a significant vulnerability within **Anthropic**'s **Claude Code GitHub Action**, a tool designed to integrate the **Claude** AI model into CI/CD pipelines for tasks like issue triaging and pull request reviews. The flaw, if exploited, could have enabled attackers to gain control over vulnerable public repositories, including the action's own source code, with just a single opened **GitHub** issue. ## The Attack Vector: Bypassing Bot Security and Prompt Injection The core of the vulnerability lay in how the **Claude Code GitHub Action** validated trigger events. While it was intended to restrict triggers to users with write access, a critical loophole allowed any actor whose name ended in `[bot]` to bypass this check. This assumption proved faulty, as anyone can register a **GitHub App** and use its token to open issues or pull requests on public repositories, effectively masquerading as a trusted bot. Once authenticated, the attacker would then employ an indirect prompt injection technique. This involves embedding malicious instructions within seemingly benign content (like an error message in a **GitHub** issue) that the **Claude** AI model would process. **RyotaK** of **GMO Flatt Security**, the researcher who discovered the flaw, demonstrated how to trick **Claude** into "recovering" by executing commands buried in the prompt. This allowed exfiltration of environment variables, including sensitive credentials used by **GitHub Actions** to request an **OIDC token**. ## From Credentials to Repository Takeover The stolen **GitHub Actions** credentials, particularly the **OIDC token** exchange mechanism, were the ultimate prize. By replaying this exchange, an attacker could obtain a **Claude GitHub App** installation token with full write access to the target repository's code, issues, and workflows. This presented a severe supply chain risk: targeting the `claude-code-action` repository itself could have allowed attackers to inject malicious code directly into the action, which would then be pulled by all downstream projects. ## Additional Weaknesses and Real-World Impact  **RyotaK** also highlighted other vulnerabilities, including **Anthropic**'s own example issue-triage workflow shipping with `allowed_non_write_users: "*"`. This setting, explicitly flagged as risky in **Anthropic**'s documentation, allowed anyone to trigger the workflow. Furthermore, **Claude** was observed posting task summaries to publicly visible workflow run panels, offering a ready channel for data exfiltration. Many repositories that copied this example inherited these risks. While the specific attack vector against **Anthropic**'s own action was proven only in test environments, similar AI-driven supply chain attacks have already occurred: * In February, a prompt-injected issue title against **Cline**'s `claude-code-action` triage workflow led to the theft of an npm publish token. This resulted in an unauthorized `[email protected]` being pushed, though the rogue version was quickly removed. * The autonomous bot **HackerBot-Claw** was observed in late February probing **GitHub Actions** misconfigurations across various organizations, including **Microsoft**, **Datadog**, and **CNCF** projects. ## The Fix and Recommendations **GMO Flatt Security**'s **RyotaK** reported the bypass to **Anthropic** in January. **Anthropic** promptly addressed the issue, fixing it within four days and implementing further hardening throughout the spring. The corrected version, `claude-code-action v1.0.94`, is now available. **Anthropic** rated the vulnerability 7.8 under **CVSS v4.0** and awarded a bug bounty. For users of **Claude Code GitHub Action**, immediate action is advised: * Update to `claude-code-action v1.0.94` or later. * Audit any workflows that permit users without write access, or bots, to trigger **Claude**. * If untrusted input is processed, ensure that no secrets beyond the **Anthropic API key** and `GITHUB_TOKEN` are fed to the workflow. * Remove any tools and permissions that could be exploited for data exfiltration. **RyotaK** continues to identify numerous prompt injection flaws in AI coding agents, underscoring that the challenge of prompt injection remains largely unsolved. An AI agent, when equipped with real tools and tokens, can be compelled to operate to the full extent of its granted permissions.