A recent security vulnerability in Anthropic’s Claude Code GitHub Action has been discovered, which allows an attacker to hijack vulnerable public repositories by simply opening a GitHub issue. This flaw was reported by security researcher RyotaK from GMO Flatt Security in January 2026, and Anthropic addressed the issue within four days, implementing further enhancements throughout the spring. The fixes are included in claude-code-action v1.0.94.
Nature of the Vulnerability
The vulnerability stems from the broad permissions granted to the Claude Code GitHub Action, which is designed to assist in continuous integration and continuous deployment (CI/CD) workflows. By default, the action has read and write access to a repository’s code, issues, pull requests, discussions, and workflow files. While the action is intended to restrict triggering to users with write access, a flaw allowed any actor whose name ended with [bot] to bypass this restriction.
Exploitation Method
Attackers could exploit this flaw by using a GitHub App, which anyone can register and install on their own repositories. Once installed, the app could open an issue or pull request on any public repository, allowing the attacker’s content to pass through the action. RyotaK demonstrated this by crafting an issue that contained an indirect prompt injection, which tricked the AI into executing commands hidden within the content.
Potential Impact
The most critical risk associated with this vulnerability is the potential theft of sensitive information, including GitHub Actions credentials used to request an OpenID Connect (OIDC) token. If an attacker successfully obtains these credentials, they could gain write access to the target repository’s code, issues, and workflows. This could lead to the injection of malicious code into the action itself, affecting downstream projects that utilize it.
Mitigation and Recommendations
To mitigate the risks associated with this vulnerability, users are advised to update to claude-code-action v1.0.94 or later. Additionally, it is recommended to audit any workflows that allow users without write access or bots to trigger the Claude action. Users should ensure that only trusted inputs are fed into the action and remove any tools or permissions that could be exploited for data exfiltration.
This incident highlights ongoing concerns regarding prompt injection vulnerabilities in AI coding agents and the need for stringent security measures in CI/CD environments.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
