In January 2026, a critical vulnerability was discovered in Anthropic’s Claude Code GitHub Action by RyotaK from GMO Flatt Security. This flaw allowed attackers to hijack public repositories using the action by merely opening a GitHub issue. The potential damage included injecting malicious code into the action itself, affecting all downstream projects utilizing it.
Anthropic responded swiftly to the report, implementing a fix within four days and further strengthening security measures in subsequent months. The vulnerability, rated 7.8 on the CVSS v4.0 scale, was addressed with the release of claude-code-action v1.0.94. The company also rewarded the researcher with a bug bounty for his contribution.
Understanding the GitHub Action Flaw
Claude Code GitHub Actions integrates into CI/CD pipelines to manage issues, apply labels, review pull requests, and execute commands. The default settings grant extensive read and write permissions across a repository’s code, issues, pull requests, and workflow files. Ideally, only users with write access should trigger these workflows.
However, a loophole existed that allowed any actor with a name ending in [bot] to bypass these restrictions. This assumption about the trustworthiness of GitHub Apps led to vulnerabilities, as anyone could create a GitHub App, install it on their repository, and leverage its token to interact with public repositories. The absence of adequate checks in agent mode left the system open to exploitation.
Exploitation and Implications
Attackers could utilize indirect prompt injection, a method of embedding instructions in content intended for AI reading. RyotaK demonstrated how an attacker could use this technique to exploit the action, gaining access to sensitive environment variables and credentials. Particularly valuable were the credentials used to request an OIDC token, enabling attackers to gain write access to a repository’s code and workflows.
Moreover, Anthropic’s own example workflows contained risky settings, allowing non-write users to trigger actions. This oversight led to the risk of data leakage through publicly visible task summaries. The issue was compounded by repositories copying these flawed examples, inadvertently inheriting the security weaknesses.
Preventive Measures and Future Outlook
To mitigate this risk, users are advised to update to claude-code-action v1.0.94 or later and audit workflows to ensure that only trusted users can trigger actions. It’s crucial to limit the exposure of sensitive data and remove unnecessary permissions that could facilitate data exfiltration.
While this particular vulnerability has not been publicly exploited against live targets, the potential for abuse remains significant. RyotaK continues to identify and report security loopholes in AI coding agents, highlighting the persistent challenge of addressing prompt injection vulnerabilities.
The incident underscores the need for robust security practices and vigilance in managing permissions and workflows within software development environments. As AI integration into development processes grows, maintaining security will be a continuous and evolving challenge.
