Back

Critical Vulnerability in Claude Code GitHub Actions Exposes Repositories to Attacks

Severity: High (Score: 72.6)

Sources: Cybersecuritynews, Letsdatascience, Gbhackers

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: claude, code, github, actions, compromise, vulnerability, anthropic

Severity indicators: vulnerability, flaw

Summary

A critical supply chain vulnerability in Claude Code’s GitHub Actions, identified by security researcher Ryota K from GMO Flat Security, allows attackers to compromise any repository using Anthropic’s CI/CD workflow. The flaw is due to a flawed permission model that enables bypassing of permission controls, exposing thousands of repositories to full compromise through a single malicious GitHub issue. The vulnerability has been patched in version 1.0.94 of Claude Code GitHub Actions. The impact is significant, potentially affecting Anthropic’s own infrastructure. Users are urged to update their systems to mitigate this risk. The vulnerability highlights serious concerns regarding supply chain security in CI/CD environments. Key Points: • A critical vulnerability in Claude Code GitHub Actions allows full repository compromise. • The flaw stems from a flawed permission model, enabling attackers to bypass controls. • The vulnerability has been patched in version 1.0.94, and users are advised to update.

Detailed Analysis

**Impact** Thousands of repositories using Anthropic’s Claude Code GitHub Actions workflow are affected, including Anthropic’s own infrastructure. The vulnerability enables attackers to fully compromise repositories, potentially impacting software supply chains across multiple sectors relying on these CI/CD workflows. The scope includes any organization or developer integrating this workflow, with no geographic limitations specified. **Technical Details** The vulnerability arises from a flawed permission model in the checkWritePermissions function within Claude Code GitHub Actions, allowing attackers to bypass permission controls. Attackers can exploit this via a single malicious GitHub issue to inject untrusted code, leading to full repository compromise. The flaw was identified by security researcher RyotaK of GMO Flatt Security and patched in version 1.0.94. No CVE identifiers or specific malware/tools were mentioned. **Recommended Response** Apply the patched Claude Code GitHub Actions version 1.0.94 immediately to remediate the permission model flaw. Review repository workflows for unauthorized changes or suspicious GitHub issues that could indicate exploitation attempts. Harden permission configurations in CI/CD pipelines and monitor for unusual activity related to GitHub Actions usage. No additional IOCs were provided for detection.

Source articles (3)

  • Claude Code’s GitHub Actions Vulnerability Lets Attackers Compromise Any Repository — Cybersecuritynews · 2026-06-02
    A critical supply chain vulnerability in Claude Code’s GitHub Actions that could allow attackers to compromise any repository using Anthropic’s official CI/CD workflow, including Anthropic’s own infra…
  • Claude Code GitHub Actions Flaw Exposes Repositories to Full Compromise — Gbhackers · 2026-06-02
    A critical supply chain vulnerability in Anthropic’s Claude Code GitHub Actions workflow has been disclosed, exposing thousands of repositories to potential full compromise through a single malicious…
  • Claude Code Flaw Exposes Repositories to Compromise | Let's Data Science — Letsdatascience · 2026-06-02
    Security researcher reporting at Flatt.tech disclosed a critical supply-chain vulnerability in Anthropic's Claude Code GitHub Actions workflow that could allow full repository compromise via a single…

Timeline

  • 2026-06-02 — Vulnerability disclosed: Ryota K from GMO Flat Security disclosed a critical supply chain vulnerability in Claude Code GitHub Actions, affecting thousands of repositories.
  • 2026-06-02 — Patch released: Claude Code GitHub Actions version 1.0.94 was released to address the identified vulnerabilities.

Related entities

  • Data Breach (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Anthropic (Company)
  • GBHackers (Company)
  • GMO Flat Security (Company)
  • Tenable (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • flatt.tech (Domain)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • Claude Code (Tool)
  • GitHub Actions (Tool)
  • GitHub (Platform)
  • GitHub Copilot Agent (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed