GitHub issue could let attackers hijack repos via Claude Code

A vulnerability in Anthropic’s Claude Code GitHub Action allowed a single crafted GitHub issue to extract workflow credentials and enable attackers to gain write access to public repositories running the action, a security researcher reported. The researcher, RyotaK of GMO Flatt Security, disclosed the core bypass in January; Anthropic patched the issue within four days and released further hardening through the spring. The fixes are available in claude-code-action v1.0.94. Anthropic assigned a CVSS v4.0 score of 7.8 to the issues and paid a bug bounty for the report.

By default the Claude Code workflow runs with read and write access to a repository’s code, issues, pull requests, discussions and workflow files. The action includes a check intended to allow only users with write access to trigger sensitive behavior. That check trusted any actor whose account name ended in “[bot]” on the assumption that GitHub Apps are always trusted. An attacker can register a GitHub App, install it on a repository they control, and use its installation token to open issues or pull requests on any public repository. The workflow then treated the actor as a bot and accepted the input.

Agent mode in Claude Code lacked an extra human-check present in tag mode. An attacker combined the bot bypass with indirect prompt injection, posting an issue formatted like an error message and refining the text until the model followed embedded instructions instead of its intended task. The exploit targeted /proc/self/environ, the Linux file that holds a process’s environment variables. Although Claude Code blocks straightforward file reads, the crafted prompt caused the agent to return environment values into the issue body where the attacker could copy them.

The most valuable data in those environment variables is the GitHub Actions credential pair used to request an OIDC token. Claude Code exchanges that OIDC token with Anthropic’s backend for a Claude GitHub App installation token that carries write privileges. With those tokens an attacker can obtain write access to a repository’s code, issues and workflows. If applied to the claude-code-action repository itself, the same chain could inject malicious code into the action and affect downstream projects that pull it.

RyotaK reported additional risks. Anthropic’s example issue-triage workflow shipped with allowed_non_write_users: “*”, which lets anyone trigger the action; many repositories copied that example and inherited the exposure. Claude also posted task summaries to a workflow run’s public summary panel, creating another channel to leak data. A further attack path lets an adversary who can edit issues but not trigger the action alter a trusted user’s issue after a run starts but before Claude reads it, causing the agent to process tainted input labeled as trusted.

There is a known incident that used a similar chain. In February, a prompt-injected issue title against a claude-code-action triage workflow belonging to the developer Cline allowed attackers to steal an npm publish token and push an unauthorized [email protected] release. The rogue package installed a non-malicious AI agent and was removed about eight hours later. Automated probes under the name HackerBot-Claw later scanned repositories for misconfigurations at larger projects; some probe attempts to poison Claude-based reviewers were blocked when the agent refused the input.

Anthropic published fixes in claude-code-action v1.0.94 and later. RyotaK reported roughly 50 different bypass methods during disclosure, highlighting that prompt injection remains a recurring risk when AI agents have access to real tokens and tooling. The researcher recommended updating to the patched versions, auditing workflows that allow non-write users or bots to trigger active agents, removing unnecessary permissions and external tools, and not feeding untrusted inputs any secret beyond the Anthropic API key and the GITHUB_TOKEN.