A recently disclosed security flaw in Anthropic’s Claude Code GitHub Action could have allowed attackers to gain unauthorized access to public repositories using nothing more than a single GitHub issue.
The vulnerability, discovered by security researcher RyotaK of GMO Flatt Security, exposed a dangerous chain of attacks that could potentially lead to repository compromise, credential theft, and even software supply-chain attacks affecting downstream projects.
Anthropic addressed the issue shortly after it was reported and has since released additional security improvements in claude-code-action version 1.0.94.
How the Vulnerability Worked
Claude Code GitHub Action enables organizations to integrate AI-powered workflows directly into their development pipelines. The tool can automatically triage issues, review pull requests, apply labels, and execute commands within repositories.
Because these workflows often require broad permissions, the action is designed to limit who can trigger AI-driven operations. Normally, only users with write access to a repository should be allowed to initiate certain tasks.
However, researchers discovered a flaw in the permission validation process.
The GitHub Action incorrectly trusted any account whose username ended with “[bot],” assuming it belonged to a legitimate GitHub App. In reality, anyone can create their own GitHub App, install it on a repository they control, and use it to interact with public repositories.
As a result, malicious actors could bypass intended restrictions and submit content that Claude would process as trusted input.
Prompt Injection Turns AI Into an Attack Tool
After bypassing the trigger restrictions, the next stage of the attack relied on indirect prompt injection.
Prompt injection occurs when hidden instructions are embedded within content that an AI model reads. Instead of following its intended task, the AI can be manipulated into executing attacker-controlled actions.
In the proof-of-concept attack, the researcher crafted a GitHub issue that appeared to contain an error message. By carefully refining the embedded instructions, Claude was persuaded to execute actions that exposed sensitive information from the environment where the workflow was running.
The attack targeted environment variables that often contain authentication credentials and other secrets used by automated workflows.
Although Claude Code includes protections against directly accessing sensitive files, the researcher demonstrated methods to bypass those safeguards and retrieve valuable data.
Repository Write Access at Risk
The most critical aspect of the vulnerability involved credentials used by GitHub Actions to obtain OpenID Connect (OIDC) tokens.
These tokens allow workflows to prove their identity and request temporary access credentials from external services.
Researchers found that by obtaining the necessary credentials from the workflow environment, an attacker could impersonate the running workflow and request a GitHub App installation token with write permissions.
This could potentially grant attackers the ability to:
- Modify repository code
- Alter GitHub workflows
- Create or modify issues and pull requests
- Push unauthorized commits
- Conduct supply-chain attacks against dependent projects
Because Anthropic’s own Claude Code Action repository used similar workflows, researchers noted that a successful compromise could theoretically have allowed malicious code to be inserted into the action itself and distributed to downstream users.
Additional Security Concerns
The researcher also identified other risky configurations that could increase exposure.
One example involved a workflow template provided by Anthropic that allowed any user to trigger issue-triage actions. While documentation warned users about the risks of this setting, many repositories adopted the example configuration without modifying it.
Another issue involved task summaries being posted to publicly visible workflow logs. In certain situations, this could create opportunities for sensitive information to be exposed.
Researchers also highlighted a timing-based attack scenario in which an attacker could modify an issue after a trusted user triggered the workflow but before Claude processed the content, effectively sneaking malicious instructions into what appeared to be a trusted request.
Real-World AI Supply Chain Risks
The findings reinforce growing concerns about AI-powered automation in software development environments.
Security experts point to a recent incident involving an AI-based issue-triage workflow used by the Cline project. In that case, attackers leveraged prompt injection techniques to steal an npm publishing token and publish an unauthorized package version.
Although the compromised package was removed within hours and did not contain malicious malware, the incident demonstrated how AI agents with elevated permissions can become attractive targets.
Researchers have also observed automated systems actively scanning GitHub repositories for misconfigured AI workflows and opportunities to exploit prompt injection vulnerabilities.
Anthropic’s Response
Anthropic responded quickly after receiving the vulnerability report in January, fixing the primary bypass within four days and rolling out additional security improvements over the following months.
The company assigned the issue a CVSS v4.0 severity score of 7.8 and awarded a bug bounty to the researcher.
Users running Claude Code GitHub Action are advised to upgrade immediately to version 1.0.94 or later and review repository permissions carefully.
Security Recommendations
Organizations using AI-powered GitHub workflows should take several precautions:
- Update to the latest Claude Code Action release.
- Restrict workflow triggers to trusted users only.
- Avoid granting unnecessary repository permissions.
- Limit access to secrets and sensitive environment variables.
- Monitor workflows for prompt injection attempts.
- Remove tools or integrations that could be used for data exfiltration.
- Regularly audit GitHub Actions configurations and permissions.
The Bigger AI Security Challenge
The disclosure highlights a broader issue facing the industry: prompt injection remains an unresolved security challenge.
As AI agents become more deeply integrated into development pipelines and gain access to repositories, APIs, and automation tools, the consequences of successful prompt injection attacks continue to grow.
Security researchers warn that any AI system with access to powerful tools and sensitive credentials can only be as secure as the permissions it receives. Until stronger safeguards emerge, organizations deploying AI-powered coding assistants must treat them as high-risk components within their software supply chains.
