Back

Critical Vulnerability in Claude Code GitHub Actions Exposes Repositories to Attacks

Severity: High (Score: 72.6)

Sources: Feeds.4Sysops, Blogs.Microsoft, Gbhackers, Cybersecuritynews, Thenextweb

Published: 2026-06-02 · Updated: 2026-06-06

Keywords: claude, code, github, actions, compromise, vulnerability, anthropic

Severity indicators: vulnerability, flaw

Summary

A critical supply chain vulnerability in Claude Code’s GitHub Actions, identified by security researcher Ryota K from GMO Flat Security, allows attackers to compromise any repository using Anthropic’s CI/CD workflow. The flaw is due to a flawed permission model that enables bypassing of permission controls, exposing thousands of repositories to full compromise through a single malicious GitHub issue. The vulnerability has been patched in version 1.0.94 of Claude Code GitHub Actions. The impact is significant, potentially affecting Anthropic’s own infrastructure. Users are urged to update their systems to mitigate this risk. The vulnerability highlights serious concerns regarding supply chain security in CI/CD environments. Key Points: • A critical vulnerability in Claude Code GitHub Actions allows full repository compromise. • The flaw stems from a flawed permission model, enabling attackers to bypass controls. • The vulnerability has been patched in version 1.0.94, and users are advised to update.

Detailed Analysis

**Impact** Thousands of repositories using Anthropic’s Claude Code GitHub Actions workflow are affected, including Anthropic’s own infrastructure. The vulnerability enables attackers to fully compromise repositories, potentially impacting software supply chains across multiple sectors relying on these CI/CD workflows. The scope includes any organization or developer integrating this workflow, with no geographic limitations specified. **Technical Details** The vulnerability arises from a flawed permission model in the checkWritePermissions function within Claude Code GitHub Actions, allowing attackers to bypass permission controls. Attackers can exploit this via a single malicious GitHub issue to inject untrusted code, leading to full repository compromise. The flaw was identified by security researcher RyotaK of GMO Flatt Security and patched in version 1.0.94. No CVE identifiers or specific malware/tools were mentioned. **Recommended Response** Apply the patched Claude Code GitHub Actions version 1.0.94 immediately to remediate the permission model flaw. Review repository workflows for unauthorized changes or suspicious GitHub issues that could indicate exploitation attempts. Harden permission configurations in CI/CD pipelines and monitor for unusual activity related to GitHub Actions usage. No additional IOCs were provided for detection.

Source articles (12)

  • Claude Code’s GitHub Actions Vulnerability Lets Attackers Compromise Any Repository — Cybersecuritynews · 2026-06-02
    A critical supply chain vulnerability in Claude Code’s GitHub Actions that could allow attackers to compromise any repository using Anthropic’s official CI/CD workflow, including Anthropic’s own infra…
  • Claude Code GitHub Actions Flaw Exposes Repositories to Full Compromise — Gbhackers · 2026-06-02
    A critical supply chain vulnerability in Anthropic’s Claude Code GitHub Actions workflow has been disclosed, exposing thousands of repositories to potential full compromise through a single malicious…
  • Claude Code Flaw Exposes Repositories to Compromise | Let's Data Science — Letsdatascience · 2026-06-02
    Security researcher reporting at Flatt.tech disclosed a critical supply-chain vulnerability in Anthropic's Claude Code GitHub Actions workflow that could allow full repository compromise via a single…
  • Claude Code GitHub Action flaw enabled repository hijacking — Thenextweb · 2026-06-04
    TL;DR A flaw in Anthropic’s Claude Code GitHub Action let attackers bypass permission checks via a fake bot account and use prompt injection to steal OIDC tokens, gaining write access to any vulnerabl…
  • GMO Flatt Security — flatt.tech · 2026-06-04
    After publishing my article ( Pwning Claude Code in 8 Different Ways ), I continued investigating Claude-related products and found several more vulnerabilities. In this article, I will explain a vuln…
  • Cline Supply Chain Attack Prompt Injection Github Actions — snyk.io · 2026-06-04
    On February 9, 2026, security researcher Adnan Khan publicly disclosed a vulnerability chain (dubbed "Clinejection") in the Cline repository that turned the popular AI coding tool's own issue triage b…
  • Claude Code has an MCP security problem — Csoonline · 2026-06-05
    Claude Code is Anthropic’s AI coding assistant — a command-line tool that developers are adopting fast. It connects to external services through Model Context Protocol, the standard that lets AI tools…
  • Securing CI/CD in an agentic world: Claude Code Github action case — Blogs.Microsoft · 2026-06-05
    Microsoft Threat Intelligence identified a prompt injection pathway in Claude Code GitHub Action that allowed access to workflow secrets under specific conditions. This research examines the attack ch…
  • Claude Code exposes OIDC tokens via GitHub Action flaw | Let's Data Science — Letsdatascience · 2026-06-05
    Security researcher RyotaK of GMO Flatt Security disclosed a flaw in Anthropic's Claude Code GitHub Action that, combined with prompt injection, could let an unauthenticated attacker steal CI/CD secre…
  • Anthropic patches Claude Code vulnerability that exposed CI/CD secrets — Feeds.4Sysops · 2026-06-06
    Microsoft researchers discovered a vulnerability in Anthropic’s Claude Code GitHub Action that allowed attackers to exfiltrate sensitive CI/CD secrets. While the tool used sandboxing for command execu…
  • Claude Code Vulnerability Could Let Attackers Steal Credentials From GitHub, Says Microsoft — Decrypt.Co · 2026-06-06
    Microsoft researchers disclosed a now-patched vulnerability in Anthropic's Claude Code GitHub Action that could have allowed attackers to expose credentials stored in software development pipelines by…
  • Microsoft Reports Claude Code GitHub Action Credential Leak | Let's Data Science — Letsdatascience · 2026-06-06
    Microsoft Threat Intelligence reported that Anthropic's Claude Code GitHub Action could expose CI/CD workflow secrets when the agent processed untrusted GitHub content, according to a Microsoft securi…

Timeline

  • 2026-06-02 — Vulnerability disclosed: Ryota K from GMO Flat Security disclosed a critical supply chain vulnerability in Claude Code GitHub Actions, affecting thousands of repositories.
  • 2026-06-02 — Patch released: Claude Code GitHub Actions version 1.0.94 was released to address the identified vulnerabilities.

Related entities

  • Data Breach (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Anthropic (Company)
  • GBHackers (Company)
  • GMO Flat Security (Company)
  • Tenable (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • flatt.tech (Domain)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • Claude Code (Tool)
  • GitHub Actions (Tool)
  • GitHub (Platform)
  • GitHub Copilot Agent (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed