Swati KhandelwalJun 04, 2026Vulnerability / AI Security

A security researcher found a flaw in Anthropic's Claude Code GitHub Action that let an attacker take over vulnerable public repositories running it, with nothing more than a single opened GitHub issue. Because Anthropic's own action repo used the same workflow, a working attack could have pushed malicious code into the action itself and onto the projects downstream that pull it.

RyotaK of GMO Flatt Security reported the core bypass to Anthropic in January, and Anthropic fixed it within four days, with further hardening through the spring; the fixes are in claude-code-action v1.0.94.

Anthropic rated the issues 7.8 under CVSS v4.0 and paid a bug bounty. The writeup doesn't cite a CVE.

Claude Code GitHub Actions drops Claude into CI/CD pipelines to triage issues, slap on labels, review pull requests, or run slash commands. By default, the workflow gets read and write access to a repo's code, issues, pull requests, discussions, and workflow files. Because those permissions are broad, the action is supposed to be picky about who can trigger it: only users with write access.