Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories
Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories
https://thehackernews.com/2026/06/claude-code-github-action-flaw-let-one.html
Publish Date: 2026-06-04 11:15:00
Source Domain: thehackernews.com
A security researcher found a flaw in Anthropic’s Claude Code GitHub Action that let an attacker take over vulnerable public repositories running it, with nothing more than a single opened GitHub issue. Because Anthropic’s own action repo used the same workflow, a working attack could have pushed malicious code into the action itself and onto the projects downstream that pull it.
RyotaK of GMO Flatt Security reported the core bypass to Anthropic in January, and Anthropic fixed it within four days, with further hardening through the spring; the fixes are in claude-code-action v1.0.94. Anthropic rated the issues 7.8 under CVSS v4.0 and paid a bug bounty.
Claude Code GitHub Actions drops Claude into CI/CD pipelines to triage issues, slap on labels, review pull requests, or run slash commands. By default, the workflow gets read and write access to a repo’s code, issues, pull requests, discussions, and workflow files. Because those permissions are broad, the action is supposed to be picky about who can trigger it: only users with write access.
The trigger check had a hole. It waved through any actor whose name ended in [bot], on the assumption that GitHub Apps are trusted things admins install. Trouble is, anyone can register a GitHub App, install it on a repo they own, and use its token to open an issue or pull request on any public repository. The action saw “a bot” and let the attacker’s content through. Tag mode had an extra check to confirm the actor was a real human; agent mode didn’t, which left it open.
From there, the attacker leans on indirect prompt injection, the trick of planting instructions inside content that an AI reads so the model follows them instead of its actual task. RyotaK wrote an issue whose body looked like an error message, then refined the prompt until Claude would “recover” by running the commands buried in it. The target is /proc/self/environ, the Linux file that holds…
