Claude Code exposes OIDC tokens via GitHub Action flaw

GMO Flatt Security researcher RyotaK disclosed a vulnerability in Anthropic's Claude Code GitHub Action that, when chained with prompt injection, could allow a fully unauthenticated external attacker to exfiltrate workflow secrets, steal OIDC tokens, and push malicious code to downstream repositories, according to RyotaK's write-up and reporting by The Hacker News and The Next Web. Anthropic rated the issues 7.8 under CVSS v4.0, paid a 4,800 dollar bug bounty, and shipped fixes in claude-code-action v1.0.94. RyotaK reported the flaw to Anthropic in January; the company fixed the core bypass within four days and added further hardening through the spring.

The chain combined two failures. First, the action's checkWritePermissions function unconditionally trusted any actor whose username ended in [bot]. Because GitHub Apps have implicit read access to public repositories and can open issues or pull requests using only an installation token, an attacker could register an app and bypass the permission check, as detailed by RyotaK and The Hacker News. Second, Anthropic's example workflows used allowed_non_write_users: "*"; paired with issues: write and a second workflow holding id-token: write, an attacker could chain the two to capture a token from Claude's publicly visible run summary, then edit an issue to inject instructions into the tag-mode workflow.

The most sensitive values exposed are ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL, the credentials used to request an OIDC token from GitHub Actions. Claude Code uses that OIDC token to obtain a privileged Claude GitHub App installation token from Anthropic's backend. With the exfiltrated values, an attacker could replay the entire exchange and obtain a token with write access to repository contents, issues, pull requests, and workflows, per The Next Web.

The Cloud Security Alliance's research note places the incident in a broader class of prompt-injection risks affecting AI coding agents wired into CI/CD, naming GitHub Copilot Coding Agent, Google Gemini CLI, and Claude Code. Separate researchers documenting the 'Comment and Control' pattern show the same idea generalizes: untrusted issue, PR, and comment text becomes a command path to privileged runtime state.

• •Treat issue, PR, and comment fields as tainted input when an agent can act on them.
• •Audit workflow triggers, avoid wildcard allow-lists such as allowed_non_write_users: "*", and separate id-token: write jobs from agent jobs.
• •Update to claude-code-action v1.0.94 or later and review least-privilege scoping of installation and OIDC token exchange.