A security researcher found a flaw in Anthropic’s Claude Code GitHub Action that could let an attacker take over vulnerable public repositories with a single opened GitHub issue, and even potentially poison Anthropic’s own action repository. Anthropic fixed the issue in claude-code-action v1.0.94 after RyotaK of GMO Flatt Security reported it, but the research also highlighted how prompt injection and broad workflow permissions can expose secrets and enable supply-chain compromise. #ClaudeCodeGitHubAction #Anthropic #RyotaK #GMOFlattSecurity #Cline
Keypoints
- Claude Code GitHub Action could be triggered through a flawed bot check.
- An attacker could exploit a single public GitHub issue to reach vulnerable repositories.
- Indirect prompt injection was used to bypass Claude’s guardrails and extract environment secrets.
- Stolen workflow credentials could be replayed to gain write access through GitHub OIDC.
- Anthropic released claude-code-action v1.0.94 and advised auditing workflows for untrusted input.
Read More: https://thehackernews.com/2026/06/claude-code-github-action-flaw-let-one.html