A security vulnerability discovered in Anthropic’s Claude Code GitHub Action reportedly exposed public repositories to potential takeover through a single malicious GitHub issue, raising concerns around artificial intelligence driven automation within software development environments. Security researcher RyotaK from GMO Flatt Security identified the flaw, which could have enabled attackers to gain write access to vulnerable repositories that were running the affected workflow. Researchers warned that because Anthropic’s own repository used the same setup, a successful compromise could have extended beyond individual projects and potentially introduced malicious code into the Claude Code action itself, affecting downstream repositories that depended on it.
Anthropic reportedly received the vulnerability disclosure in January 2026 and addressed the core issue within four days, followed by additional hardening measures introduced over the following months. The fixes were ultimately included in claude-code-action version 1.0.94. The company assigned the issue a severity score of 7.8 under the Common Vulnerability Scoring System version 4.0 and issued a bug bounty payment to the researcher. Claude Code GitHub Actions are designed to integrate Anthropic’s AI assistant into continuous integration and continuous delivery pipelines, helping development teams triage issues, apply labels, review pull requests, and process slash commands. By default, these workflows operate with broad permissions, including read and write access to repository code, workflow files, pull requests, issues, and discussions. To reduce misuse, the system was intended to only allow activation by users with write access to a repository.
According to technical findings, the vulnerability stemmed from an authentication bypass linked to how the GitHub Action validated users. The workflow reportedly trusted any account name ending with “[bot],” assuming such actors represented legitimate GitHub applications approved by repository administrators. However, researchers explained that anyone could create a GitHub App, install it on their own repository, and use its token to open issues or pull requests against public repositories. As a result, Claude Code mistakenly recognized the activity as trusted and processed malicious input. While one operating mode contained an additional safeguard to confirm whether the actor was a verified human user, another mode lacked the same validation and remained vulnerable. RyotaK reportedly exploited this weakness through indirect prompt injection, a technique where hidden instructions are embedded into content processed by artificial intelligence systems. By disguising malicious instructions inside what appeared to be an error message, the researcher refined prompts until Claude attempted to recover by executing hidden commands. This process reportedly targeted Linux environment files containing sensitive variables, allowing secret credentials to be exposed through issue responses visible to attackers.
Researchers stated that the most valuable information stored in these variables involved credentials used by GitHub Actions to request OpenID Connect tokens, which authenticate workflows running within repositories. Claude Code reportedly exchanged these credentials with Anthropic’s backend systems to receive a GitHub App installation token containing write access to repository assets, including codebases, issues, and workflows. According to the researcher, attackers obtaining these credentials could potentially replay the authentication exchange and gain elevated repository control. Anthropic’s own documentation was also found to contain a softer exposure route, as example workflows included a setting that allowed non privileged users to trigger issue triage functionality. Additional concerns were raised regarding task summaries posted publicly during workflow execution, potentially creating opportunities for data leakage. Security experts noted that this type of threat is not theoretical, pointing to a February incident involving a prompt injected issue targeting Cline’s Claude Code based triage workflow that reportedly enabled attackers to steal an npm publishing token and distribute an unauthorized package version. While no evidence currently suggests Anthropic’s own repository was exploited through this specific flaw, RyotaK reportedly identified nearly 50 separate methods capable of bypassing Claude Code permission systems and executing commands. The findings have renewed attention on prompt injection risks affecting AI coding agents, particularly when such systems operate with elevated permissions and direct access to sensitive development workflows.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
