A security researcher, RyotaK of GMO Flatt Security, found a serious flaw in Anthropic’s Claude Code GitHub Action that let attackers take over vulnerable public repositories. The attack needed nothing more than a single opened GitHub issue.
The risk ran deep because Anthropic’s own action repo used the same workflow, a working attack could have pushed malicious code into the action itself, then into every downstream project that pulls it. RyotaK of GMO Flatt Security reported the core bypass to Anthropic in January.
Anthropic fixed it within four days, added further hardening through spring, and shipped the fixes in claude-code-action v1.0.94. The company rated the issues 7.8 under CVSS v4.0 and paid a bug bounty.
How the Attack Worked
Claude Code GitHub Actions drops Claude into CI/CD pipelines to triage issues, add labels, review pull requests, and run slash commands. By default, the workflow gets read and write access to a repo’s code, issues, pull requests, discussions, and workflow files. Because those permissions are broad, the action is supposed to allow only users with write access to trigger it.
The trigger check had a hole, as it waved through any actor whose name ended in “[bot],” assuming GitHub Apps are trusted. However, anyone can register a GitHub App, install it on a repo they own, and use its token to open an issue on any public repository. The action saw a bot and let the attacker’s content through. Tag mode included an extra human-verification check, but agent mode did not, leaving it exposed.
From there, the attacker used indirect prompt injection. This trick plants hidden instructions inside content an AI reads, so the model follows them instead of its real task. RyotaK wrote an issue that looked like an error message, then refined the prompt until Claude would “recover” by running commands buried inside it. The target was a Linux file holding environment variables, including secrets. Claude eventually wrote those values back into the issue, where the attacker could grab them.
The real prize was the credential pair GitHub Actions uses to request an OIDC token. Claude Code trades that token with Anthropic’s backend for a write-access GitHub App token. Steal the credentials, replay the exchange, and an attacker holds write access to the target’s code, issues, and workflows.
Not Just Theoretical
RyotaK also flagged easier routes. Anthropic’s own example triage workflow shipped with a setting that let anyone trigger it, and Claude posted task summaries to a publicly visible panel, a ready-made data leak. Many repos copied that example and inherited the flaw.
The same setup has already caused real damage. In February, a prompt-injected issue against Cline’s triage workflow let attackers steal an npm publish token and push an unauthorized version. RyotaK says he has now reported around 50 separate ways to bypass Claude Code’s permission system, underscoring that prompt injection remains an unsolved problem in AI coding agents.
You can read the security research report here.
