Claude code Github action flaw

Claude Code GitHub Action Flaw Enabled Repository Hijacking

by

Claude Code GitHub Action Flaw Enabled Full Repository Takeover via a Single Bot Issue

A critical vulnerability in Anthropic’s Claude Code GitHub Action gave attackers the ability to fully compromise any public repository running the tool, using nothing more than a single GitHub issue submitted by a bot account. Discovered by security researcher RyotaK of GMO Flatt Security, the flaw chained a logic error in permission handling with an indirect prompt injection attack to steal CI/CD secrets and acquire write access to source code, workflow files, and more. Because Anthropic’s own action repository ran the same vulnerable workflow, a successful exploit could have poisoned the upstream action and every project pulling it downstream.

The Bot Actor Permission Bypass

The Claude Code GitHub Action embeds Anthropic’s AI directly into CI/CD pipelines, where it handles issue triage, pull request review, labeling, and slash command execution. By default, the action carries read and write permissions across a repository’s code, issues, pull requests, discussions, and workflow definitions, a broad permission scope that makes its trigger controls critical.

The action was designed to respond only to users who hold write access to the target repository. The logic error: the action automatically trusted any GitHub actor whose username ended in the suffix[bot], on the assumption that such accounts belonged to GitHub Apps installed by legitimate administrators. The reality is that anyone can register their own GitHub app, install it on a repository they control, and use the resulting token to open issues or pull requests against any public repository. When the action saw a username ending in[bot], it treated the content as trusted without further verification. Agent mode lacked the secondary human-actor check that was present in tag mode, leaving it fully open to this bypass.

Turning the AI Against Its Own Secrets

With the permission gate bypassed, the attacker’s next step relied on indirect prompt injection, the technique of embedding instructions inside content that an AI model reads so the model follows the injected commands rather than its actual task. RyotaK crafted a GitHub issue body formatted to resemble an error message, then refined the injected prompt until Claude would “recover” by executing embedded commands.

The primary target was /proc/self/environ The Linux virtual file containing all environment variables for a running process, including any secrets loaded into the CI/CD environment. Claude Code has controls designed to block direct reads of this file. RyotaK found a bypass that caused the model to write the environment variable values back into the GitHub issue body, where the attacker could read them directly from the public interface.

Credential Theft and the Supply Chain Risk

The most dangerous credential reachable through those environment variables was the OIDC token request pair used by GitHub Actions. Claude Code exchanges this credential with Anthropic’s backend to obtain a Claude GitHub App installation token carrying write access to the repository. By stealing the base credential pair and replaying that token exchange, an attacker could acquire full write access to the target’s code, issues, and CI/CD workflows.

The higher-order risk was the upstream impact. Anthropic’s own claude-code-action repository used the same workflow configuration. A successful attack targeting it could have pushed malicious code directly into the published GitHub Action, poisoning every downstream project that references it.

RyotaK reported the core bypass to Anthropic in January 2026. Anthropic issued a patch within four days, with further hardening shipped through spring 2026. The fixes are available in claude-code-action v1.0.94. Anthropic scored the issues at 7.8 under CVSS v4.0 and paid a bug bounty for the disclosure.

A Second Route Through Misconfigured Example Workflows

RyotaK also identified a separate attack path that sidestepped the bot bypass entirely. Anthropic’s official example issue-triage workflow shipped with the setting allowed_non_write_users: "*", granting any GitHub user, regardless of repository permissions, the ability to trigger Claude. Anthropic’s own documentation explicitly flagged this setting as risky, yet it appeared in the official example template. Any repository that copied that template inherited the misconfiguration without modification.

Compounding the exposure, Claude was posting task summaries to GitHub Actions’ publicly visible workflow summary panel, creating a built-in channel for leaking data out of the pipeline. A further variant allowed an attacker who could edit another user’s issue, but could not trigger Claude directly, to insert a malicious payload after a trusted user had already fired the workflow, riding the content through as trusted input.

Real-World Supply Chain Incidents Confirm the Risk

The attack chain is not theoretical. In February 2026, a prompt-injected issue title targeting the Cline project’s Claude-code-action triage workflow allowed attackers to steal an npm publish token and push an unauthorized release, Cline@2.3.0. The rogue version force-installed a separate AI agent and was pulled roughly eight hours after publication. The same mechanism, applied with malicious intent, could have shipped genuine malware to every user who updated the package.

Shortly after, an autonomous bot called HackerBot-Claw spent late February scanning GitHub Actions configurations across organizations including Microsoft, Datadog, and multiple CNCF projects, probing for the same class of misconfiguration. When it attempted a prompt injection attack against a Claude-based code reviewer through a poisoned configuration file, Claude recognized and refused the attempt.

RyotaK has confirmed the specific path through Anthropic’s own action repository was never exploited against a live production target; all exploitation was validated in controlled personal test repositories.

Claude code supply chain attack

Canadian Impact: Supply Chain Security Under PIPEDA and CCCS Guidance

Canadian organizations governed by PIPEDA (Personal Information Protection and Electronic Documents Act) and aligned with guidance from the Canadian Centre for Cyber Security (CCCS) face direct exposure from this class of vulnerability. Any Canadian organization running Claude Code GitHub Actions in pipelines that deploy or process software handling personal information must treat this as a supply chain security event, not a routine CI/CD misconfiguration.

The CCCS has consistently identified software supply chain integrity as a top-tier threat priority for Canadian enterprises, particularly in financial services, health technology, and federal and provincial government IT environments. A compromised GitHub Action holding write access to a production codebase represents precisely the upstream tampering scenario that CCCS supply chain security advisories are designed to mitigate.

Canadian DevSecOps teams should also review whether AI-assisted pipeline configurations align with least-privilege access principles, a control requirement embedded in both PIPEDA compliance frameworks and CCCS operational security guidance.

A Systemic Problem: AI Agents With Real Credentials

RyotaK has now reported approximately 50 separate methods for bypassing Claude Code’s permission controls and triggering unauthorized command execution. The research is part of a growing body of work exposing prompt injection vulnerabilities across AI coding agents.

The core problem is systemic: when an AI agent holding real credentials and real tools processes untrusted input, an attacker who controls that input can redirect the agent’s behavior as far as its permissions allow. Combining broad CI/CD permissions with AI-driven automation creates an attack surface that conventional security models were not designed to address.

Key Takeaways

  • A logic flaw in the Claude Code GitHub Action’s bot-actor trust check allowed any attacker-registered GitHub App token to trigger Claude workflows in public repositories without write access.
  • Indirect prompt injection enabled attackers to bypass Claude’s file read protections and exfiltrate environment variables, including CI/CD secrets, through the GitHub issue interface.
  • Stolen OIDC credentials could be exchanged for write access to repository code, workflows, and issues, including Anthropic’s own action repository, creating a direct supply chain risk.
  • The vulnerability is patched in Claude-code-action v1.0.94 (CVSS v4.0 score: 7.8); Anthropic shipped the initial fix within four days of the January 2026 disclosure.
  • A comparable prompt injection attack against the Cline project in February 2026 resulted in an unauthorized npm package publication, confirming this is an actively exploited threat class.
  • Canadian organizations under PIPEDA and CCCS supply chain security guidance should treat this as a software supply chain incident requiring immediate patch validation and pipeline auditing.
  • Prompt injection in AI coding agents is an unresolved systemic risk; any agent with write-level permissions should process only verified, trusted input.

What You Should Do Now

  1. Patch immediately. Update claude-code-action to v1.0.94 or later. Review all GitHub Actions workflow files in your organization to confirm the version pinned and update any that remain behind.
  2. Audit bot-actor triggers. Review every workflow that allows bot-type GitHub actors or users without write access to trigger, Claude. Remove or restrict these triggers to verified repository collaborators only.
  3. Remove permissive example configurations. Delete the allowed_non_write_users: "*" setting from any Claude workflow. If open-contribution triggering is a business requirement, implement a mandatory human-approval gate before Claude is invoked.
  4. Apply least-privilege to GitHub Actions permissions. Claude Code should hold only the minimum OAuth scopes required for its specific function. Blanket read and write access across all repository resources is not appropriate for automated AI agents.
  5. Restrict data exfiltration paths. Disable or restrict access to public workflow summary output. Audit which tools and environment variable access paths are available to Claude during a run, and remove anything not strictly required.
  6. Validate PIPEDA and CCCS compliance posture. If your pipelines handle personal information covered under PIPEDA, confirm that compromised CI/CD credentials cannot reach that data. Review alignment with CCCS supply chain security advisories and document your remediation steps.
  7. Monitor for prompt injection indicators. Watch for unexpected AI agent behavior, unauthorized commits, unexplained workflow modifications, or GitHub issue content that contains unusual embedded instructions. Treat any anomalous Claude behavior as a potential security event and escalate accordingly.

Leave a Comment