{"id":731533,"date":"2026-06-05T08:25:15","date_gmt":"2026-06-05T05:25:15","guid":{"rendered":"https:\/\/buradabiliyorum.com\/en\/claude-code-github-action-flaw-enabled-repository-hijacking\/"},"modified":"2026-06-05T08:25:15","modified_gmt":"2026-06-05T05:25:15","slug":"claude-code-github-action-flaw-enabled-repository-hijacking","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/claude-code-github-action-flaw-enabled-repository-hijacking\/","title":{"rendered":"Claude Code GitHub Action flaw enabled repository hijacking"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2576b13f51a\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2576b13f51a\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/claude-code-github-action-flaw-enabled-repository-hijacking\/#TLDR\" >TL;DR<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/claude-code-github-action-flaw-enabled-repository-hijacking\/#How_the_bypass_worked\" >How the bypass worked<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/claude-code-github-action-flaw-enabled-repository-hijacking\/#A_second_path_no_bot_required\" >A second path, no bot required<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/claude-code-github-action-flaw-enabled-repository-hijacking\/#Not_theoretical\" >Not theoretical<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/claude-code-github-action-flaw-enabled-repository-hijacking\/#Fifty_bypasses_and_counting\" >Fifty bypasses and counting<\/a><\/li><\/ul><\/nav><\/div>\n<div id=\"article-main-content\">\n<p><em><\/p>\n<div class=\"postContent-tldr\">\n<h4 class=\"postContent-offsetTitle\"><span class=\"ez-toc-section\" id=\"TLDR\"><\/span>TL;DR<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>A flaw in Anthropic\u2019s Claude Code GitHub Action let attackers bypass permission checks via a fake bot account and use prompt injection to steal OIDC tokens, gaining write access to any vulnerable repository. Anthropic patched the vulnerability within four days of disclosure.<\/p>\n<\/div>\n<p><\/em><\/p>\n<p>The attack starts with a GitHub issue. Not a sophisticated one. Just an issue opened by a bot account with a carefully worded body that looks like an error message. When Claude Code\u2019s GitHub Action picks it up for triage, it follows the instructions hidden inside, reads the process\u2019s environment variables, and writes them back into the issue for the attacker to collect.<\/p>\n<p>Those variables contain the credentials needed to request an OIDC token, which can be exchanged for a Claude GitHub <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">App<\/a> installation token with full write access to the repository\u2019s code, issues, and workflows. Aim the attack at\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/anthropics\/claude-code-action\" target=\"_blank\" rel=\"nofollow noopener\">Anthropic\u2019s own claude-code-action repository<\/a>, which ran the same vulnerable workflow, and you could poison the action that thousands of downstream projects pull.<\/p>\n<p>Security researcher RyotaK of\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/flatt.tech\/research\/posts\/poisoning-claude-code-one-github-issue-to-break-the-supply-chain\/\" target=\"_blank\" rel=\"nofollow noopener\">GMO Flatt Security<\/a>\u00a0reported the vulnerability to Anthropic in January. The company fixed the core bypass within four days, with additional hardening through the spring. The patches are in claude-code-action v1.0.94. Anthropic rated the issues 7.8 under CVSS v4.0 and paid a bounty of $4,800.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_the_bypass_worked\"><\/span>How the bypass worked<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<div class=\"inarticle-wrapper latest channel-cta hs-embed-tnw\">\n<div id=\"hs-embed-tnw\" class=\"channel-cta-wrapper\">\n<div class=\"channel-cta-img\"><img decoding=\"async\" class=\"js-lazy\" src=\"https:\/\/media.thenextweb.com\/hardfork-2018\/uploads\/visuals\/tnw-newsletter.png\"\/><\/div>\n<p><img decoding=\"async\" src=\"https:\/\/media.thenextweb.com\/hardfork-2018\/uploads\/visuals\/tnw-newsletter.png\"\/><\/p>\n<div class=\"channel-cta-input\">\n<p class=\"channel-cta-title\">The \ud83d\udc9c of EU tech<\/p>\n<p class=\"channel-cta-tagline\">The latest rumblings from the EU tech scene, a story from our wise ol&#8217; founder Boris, and some questionable AI art. It&#8217;s free, every week, in your inbox. Sign up now!<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>Claude Code GitHub Actions gives Claude read and write access to a repository\u2019s code, issues, pull requests, discussions, and workflow files by default. To limit who can trigger those capabilities, the action checks whether the actor has write access to the repository.<\/p>\n<p>The check had a hole. It automatically trusted any actor whose name ended in\u00a0<code>[bot]<\/code>, on the assumption that GitHub Apps are trusted tools installed by administrators. But anyone can register a GitHub App, install it on a repository they control, and use its token to open an issue on any public repository. The action saw a bot name and let the content through. Agent mode lacked the additional human-actor verification that tag mode performed, leaving it fully exposed.<\/p>\n<p>Once past the gate, the attacker uses\u00a0indirect prompt injection, planting instructions inside content that Claude reads as data but executes as commands. RyotaK crafted an issue body disguised as an error recovery message. Claude \u201crecovered\u201d by running the commands buried inside, reading\u00a0<code>\/proc\/self\/environ<\/code>\u00a0despite Claude Code\u2019s built-in guards against that exact operation, and posting the values to the issue.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"A_second_path_no_bot_required\"><\/span>A second path, no bot required<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>RyotaK also identified a softer route that bypassed the bot trick entirely. Anthropic\u2019s own example issue-triage workflow shipped with the setting\u00a0<code>allowed_non_write_users: \u201c*\u201d<\/code>, which permits anyone to trigger the action. Anthropic\u2019s documentation already flagged this as risky, but many repositories copied the example and inherited the configuration.<\/p>\n<p>Worse, Claude was posting task summaries to the workflow run\u2019s publicly visible summary panel, creating a ready-made exfiltration channel. A third variant targeted race conditions: edit a trusted user\u2019s issue after the workflow fires but before Claude reads it, and the malicious payload rides in as trusted input.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Not_theoretical\"><\/span>Not theoretical<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The same pattern, an AI issue triager combined with broad permissions and prompt injection, has already caused real damage. In February, a prompt-injected issue title against Cline\u2019s claude-code-action triage workflow\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/snyk.io\/blog\/cline-supply-chain-attack-prompt-injection-github-actions\/\" target=\"_blank\" rel=\"nofollow noopener\">let attackers steal an npm publish token<\/a>\u00a0and push an unauthorised [email\u00a0protected]. The rogue version force-installed a separate AI agent called OpenClaw on roughly 4,000 developer systems during an eight-hour window before being pulled.<\/p>\n<p>An autonomous bot called HackerBot-Claw then spent late February\u00a0probing GitHub Actions misconfigurations\u00a0at Microsoft, Datadog, and CNCF projects. When it tried to prompt-inject a Claude-based reviewer through a poisoned config file, Claude caught it and refused. That is both reassuring and concerning: the model\u2019s defences are inconsistent enough that the same class of attack sometimes succeeds and sometimes fails.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Fifty_bypasses_and_counting\"><\/span>Fifty bypasses and counting<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>RyotaK says he has now reported approximately 50 separate ways to bypass Claude Code\u2019s permission system and execute commands. The finding is part of a\u00a0broader wave of supply chain attacks\u00a0targeting AI-powered developer tools, from the\u00a0poisoned VS Code extension that breached GitHub\u2019s own repositories\u00a0to malicious npm packages designed to harvest credentials from AI coding assistants.<\/p>\n<p>The re<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>tion is straightforward: update to claude-code-action v1.0.94 or later, audit any workflow that allows non-write users or bots to trigger Claude, s<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/trip-and-travel\/\" data-internallinksmanager029f6b8e52c=\"10\" title=\"Trip &amp; Travel\" target=\"_blank\" rel=\"noopener\">trip<\/a> unnecessary secrets from the environment, and remove tools and permissions that could be used for exfiltration.<\/p>\n<p>The deeper problem is structural. Prompt injection remains unsolved. An AI agent with real tools and real tokens can be pushed as far as its permissions allow, and the permissions\u00a0most organisations grant by default\u00a0are far broader than the attack surface they are prepared to defend.<\/p>\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" target=\"_blank\" >Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/thenextweb.com\/news\/claude-code-github-action-prompt-injection-flaw\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TL;DR A flaw in Anthropic\u2019s Claude Code GitHub Action let attackers bypass permission checks via a fake bot account and use prompt injection to steal OIDC tokens, gaining write access to any vulnerable repository. Anthropic patched the vulnerability within four days of disclosure. The attack starts with a GitHub issue. Not a sophisticated one. Just&#8230;<\/p>\n","protected":false},"author":1,"featured_media":731534,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/media.thenextweb.com\/2026\/04\/anthropic-claude-opus-4-7-coding-agentic-benchmarks-release.avif","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-731533","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/731533","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=731533"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/731533\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/731534"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=731533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=731533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=731533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}