Full Report
A security researcher found a flaw in Anthropic's Claude Code GitHub Action that let an attacker take over vulnerable public repositories running it, with nothing more than a single opened GitHub issue. Because Anthropic's own action repo used the same workflow, a working attack could have pushed malicious code into the action itself and onto the projects downstream that pull it. RyotaK of GMO
Analysis Summary
# Vulnerability: Unauthorized Takeover of Repositories via Claude Code GitHub Action
## CVE Details
- **CVE ID**: Not Assigned (Reported via Bug Bounty)
- **CVSS Score**: 7.8 (High) - per Anthropic's CVSS v4.0 assessment
- **CWE**: CWE-94 (Improper Control of Generation of Code), CWE-269 (Improper Privilege Management), CWE-116 (Improper Encoding or Escaping of Output)
## Affected Systems
- **Products**: Anthropic Claude Code GitHub Action (`claude-code-action`)
- **Versions**: All versions prior to v1.0.94
- **Configurations**:
- Public repositories running the GitHub Action for issue triage or PR review.
- Particularly vulnerable if `allowed_non_write_users` is set to `"*"` or if default workflow permissions grant write access to code/workflows.
## Vulnerability Description
The vulnerability stems from a flaw in how the GitHub Action authenticates triggers and processes input. There were three primary components to the flaw:
1. **Authentication Bypass**: The action failed to properly verify if a bot triggering the workflow was authorized. It incorrectly trusted any actor name ending in `[bot]`, allowing attackers to use their own registered GitHub Apps to trigger the action on target repositories.
2. **Indirect Prompt Injection**: Once triggered, the Claude agent would read the body of a malicious issue. Attackers crafted inputs that looked like system errors to trick the AI into executing arbitrary commands (e.g., retrieving environment variables) instead of its intended task.
3. **Data Exfiltration/Credential Theft**: The attacker used the AI to read `/proc/self/environ`, bypassing naive security guards to access OIDC credentials. These credentials allowed the attacker to trade for a GitHub App installation token with broad write access to the repository.
## Exploitation
- **Status**: PoC available (Reported by RyotaK); similar chains have been exploited in the wild (e.g., Cline supply-chain attack).
- **Complexity**: Medium
- **Attack Vector**: Network (Github Issue/PR submission)
## Impact
- **Confidentiality**: High (Access to secrets, environment variables, and OIDC tokens)
- **Integrity**: High (Ability to push malicious code to the repository or modify workflows)
- **Availability**: High (Potential to disrupt repository operations or poison downstream dependencies)
## Remediation
### Patches
- **Update to claude-code-action v1.0.94 or later.** Anthropic has implemented hardening measures and fixed the bot-actor validation logic.
### Workarounds
- **Strict Permissioning**: Follow the principle of least privilege for `GITHUB_TOKEN`.
- **Review Access Controls**: Ensure `allowed_non_write_users` is not set to `"*"` in repository workflows.
- **Limit Secrets**: Avoid providing the action with access to any secrets beyond the essential `ANTHROPIC_API_KEY`.
## Detection
- **Indicators of Compromise**:
- Unexpected GitHub issues or PRs containing suspiciously formatted "error messages" or technical commands.
- Workflow runs triggered by unknown bots or apps ending in `[bot]`.
- Unusual activity in GitHub Action logs showing attempts to read `/proc/` or system environment files.
- **Detection Methods**: Audit GitHub Action run histories for any repository using Claude Code for unexpected "Agent" behavior or unauthorized triggers.
## References
- [https://flatt.tech/research/posts/poisoning-claude-code-one-github-issue-to-break-the-supply-chain/]
- [https://github.com/anthropics/claude-code-action/commit/1bbc9e7ff7d48e1299f7fa9698273d248e0cafea]
- [https://thehackernews.com/2026/06/claude-code-github-action-flaw-let-one.html]