The TL;DR
A flaw in Anthropic’s Claude Code GitHub Action allows attackers to bypass permission checks with a fake bot account and use a quick injection to steal OIDC tokens, gaining write access to any vulnerable repository. Anthropic released the vulnerability within four days of disclosure.
The attack starts with the GitHub issue. It is not complicated. The only problem is the bot account opened with a carefully worded body that looks like an error message. When GitHub’s Claude Code Action takes it for processing, it follows the instructions hidden inside, reads the process’s environment variables, and writes them back to the issue for the attacker to collect.
Those variables contain the credentials needed to request an OIDC token, which can be changed to get a Claude GitHub App install token with full write access to code, issues, and workflows. Point an attack at Anthropic’s cloud-code-action endpoint, which used the same vulnerable workflow, and you could poison an action pulled by thousands of downstream projects.
Security researcher RyotaK of GMO Flatt Security reported the Anthropic vulnerability in January. The company prepared the core of the pass within four days, with additional strengthening in the spring. Patches are in cloud-code-action v1.0.94. Anthropic rated the issue 7.8 under CVSS v4.0 and paid a dividend of $4,800.
How the bypass worked
💜 for EU tech
The latest talk from the EU tech scene, a story from our genius founder Boris, and some incredible AI art. It’s free, every week, in your inbox. Register now!
Claude Code GitHub Actions gives Claude read and write access to code repositories, issues, pull requests, discussions, and automated workflow files. To limit who can trigger those capabilities, the action checks whether the actor has write access to the endpoint.
The check had a hole. Automatically trust any actor whose name ends with [bot]assuming that GitHub Apps are trusted tools installed by administrators. But anyone can register a GitHub App, install it in a repository they control, and use its token to open an issue in any public repository. The action recognized the name of the bot and allowed the content to pass. Agent mode lacked the additional human character validation that tag mode did, leaving it fully exposed.
Once through the gate, the attacker uses a fast indirect injection, planting instructions inside the content that Claude reads as data but executes as instructions. RyotaK created a problem thread disguised as an error recovery message. Claude “recovered” by using the instructions buried inside, reading /proc/self/environ despite Claude Code’s built-in guards against that exact function, and sending values to the issue.
Second method, no bot required
RyotaK also identified a soft route that bypasses the bot trick entirely. Anthropic’s own example of a sequential workflow is sent with the setting allowed_non_write_users: “*”which allows anyone to trigger an action. Anthropic documentation already marks this as dangerous, but many repositories have copied the example and inherited the configuration.
Even worse, Claude was posting job summaries to a publicly visible job run summary panel, creating a ready-made filtering channel. Third target race conditions: schedule a trusted user issue after the workflow fires but before Claude reads it, and the malicious payload rides as a trusted input.
Not a theory
The same pattern, AI triager combined with broad permissions and rapid injection, has already caused real damage. In February, a rapidly injected vulnerability thread against Cline’s claude-code-action triage workflow allowed attackers to steal the npm publish token and push unauthorized. [email protected]. The hard version installed a different AI agent called OpenClaw on nearly 4,000 developer apps during the eight-hour window before it was pulled.
An independent bot called HackerBot-Claw then spent late February investigating improper GitHub Actions on Microsoft, Datadog, and CNCF projects. When it tried to quickly inject a Claude-based reviewer with a poisoned fix file, Claude intercepted it and refused. That is both reassuring and concerning: the model’s defenses are not consistent enough that the same class of attack sometimes succeeds and sometimes fails.
Fifty bypasses and counting
RyotaK says it has now reported about 50 different ways to bypass the Claude Code permission system and issue commands. The findings are part of a wider supply chain attack targeting AI-enabled developer tools, from a poisoned VS Code extension that breached GitHub repositories to malicious npm packages designed to harvest credentials from AI code assistants.
The fix is straightforward: update to claude-code-action v1.0.94 or later, search for any workflows that allow non-authors or bots to trigger Claude, strip unnecessary secrets from the environment, and remove tools and permissions that could be used for hacking.
The deeper problem is the structure. Rapid injection remains unsolved. An AI agent with real tools and real tokens can be pushed according to its permissions, and the permissions granted by many organizations by default are much broader than the attack surface they are prepared to defend against.
