TL;DRA flaw in Anthropic’s Claude Code GitHub Action let attackers bypass permission checks via a fake bot account and use prompt injection to steal OIDC tokens, gaining write access to any vulnerable repository. Anthropic patched the vulnerability within four days of disclosure.
The attack starts with a GitHub issue. Not a sophisticated one. Just an issue opened by a bot account with a carefully worded body that looks like an error message. When Claude Code’s GitHub Action picks it up for triage, it follows the instructions hidden inside, reads the process’s environment variables, and writes them back into the issue for the attacker to collect.
Those variables contain the credentials needed to request an OIDC token, which can be exchanged for a Claude GitHub App installation token with full write access to the repository’s code, issues, and workflows. Aim the attack at Anthropic’s own claude-code-action repository, which ran the same vulnerable workflow, and you could poison the action that thousands of downstream projects pull.
Security researcher RyotaK of GMO Flatt Security reported the vulnerability to Anthropic in January. The company fixed the core bypass within four days, with additional hardening through the spring. The patches are in claude-code-action v1.0.94. Anthropic rated the issues 7.8 under CVSS v4.0 and paid a bounty of $4,800.
