Claude Code exposes OIDC tokens via GitHub Action flaw
Security researcher RyotaK of GMO Flatt Security disclosed a flaw in Anthropic's Claude Code GitHub Action that, combined with prompt injection, could let an unauthenticated attacker steal CI/CD secrets and OIDC tokens, per Flatt Security, The Hacker News, and The Next Web. The action's checkWritePermissions check trusted any actor whose name ended in [bot], so an attacker-installed GitHub App could submit a crafted issue that coaxed claude into reading /proc/self/environ and exfiltrating environment values. The exposed ACTIONS_ID_TOKEN_REQUEST_* variables let an attacker replay the OIDC exchange for a write-scoped installation token, enabling downstream supply-chain compromise. Anthropic rated the issues 7.8 (CVSS v4.0), patched them in claude-code-action v1.0.94, and paid a 4,800 dollar bounty; RyotaK reported the bug in January and Anthropic fixed the core bypass within four days.
What happened
GMO Flatt Security researcher RyotaK disclosed a vulnerability in Anthropic's Claude Code GitHub Action that, when chained with prompt injection, could allow a fully unauthenticated external attacker to exfiltrate workflow secrets, steal OIDC tokens, and push malicious code to downstream repositories, according to RyotaK's write-up and reporting by The Hacker News and The Next Web. Anthropic rated the issues 7.8 under CVSS v4.0, paid a 4,800 dollar bug bounty, and shipped fixes in claude-code-action v1.0.94. RyotaK reported the flaw to Anthropic in January; the company fixed the core bypass within four days and added further hardening through the spring.
How the exploit worked
The chain combined two failures. First, the action's checkWritePermissions function unconditionally trusted any actor whose username ended in [bot]. Because GitHub Apps have implicit read access to public repositories and can open issues or pull requests using only an installation token, an attacker could register an app and bypass the permission check, as detailed by RyotaK and The Hacker News. Second, Anthropic's example workflows used allowed_non_write_users: "*"; paired with issues: write and a second workflow holding id-token: write, an attacker could chain the two to capture a token from Claude's publicly visible run summary, then edit an issue to inject instructions into the tag-mode workflow.
Why the OIDC tokens matter
The most sensitive values exposed are ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL, the credentials used to request an OIDC token from GitHub Actions. Claude Code uses that OIDC token to obtain a privileged Claude GitHub App installation token from Anthropic's backend. With the exfiltrated values, an attacker could replay the entire exchange and obtain a token with write access to repository contents, issues, pull requests, and workflows, per The Next Web.
Industry context
The Cloud Security Alliance's research note places the incident in a broader class of prompt-injection risks affecting AI coding agents wired into CI/CD, naming GitHub Copilot Coding Agent, Google Gemini CLI, and Claude Code. Separate researchers documenting the 'Comment and Control' pattern show the same idea generalizes: untrusted issue, PR, and comment text becomes a command path to privileged runtime state.
For practitioners
- •Treat issue, PR, and comment fields as tainted input when an agent can act on them.
- •Audit workflow triggers, avoid wildcard allow-lists such as allowed_non_write_users: "*", and separate id-token: write jobs from agent jobs.
- •Update to claude-code-action v1.0.94 or later and review least-privilege scoping of installation and OIDC token exchange.
Key Points
- 1A single crafted GitHub issue could turn Claude Code's Action into a credential and OIDC-token exfiltration path, per RyotaK and The Hacker News.
- 2Anthropic patched the flaw in claude-code-action v1.0.94, rated it 7.8 CVSS v4.0, and paid a 4,800 dollar bounty, showing real but contained severity.
- 3The case shows AI agents in CI/CD are a new supply-chain attack surface, raising the stakes for trigger checks and least-privilege token hygiene.
Scoring Rationale
A responsibly disclosed, now-patched prompt-injection chain in a widely used AI coding action that could expose OIDC tokens and enable downstream supply-chain compromise, rated 7.8 CVSS by Anthropic with a 4,800 dollar bounty. It is operationally important to anyone running AI agents in CI/CD, but the contained severity, quick fix, and lack of in-the-wild exploitation keep it just below the top of the major-vulnerability band.
Sources
Public references used for this report.
View 7 more sources
- 04Prompt Injection in AI-Powered GitHub Actions (CSA research note)labs.cloudsecurityalliance.org
- 05Trusting Claude With a Knife: Unauthorized Prompt Injection to RCE in Claude Code Actionjohnstawinski.com
- 06Comment and Control: Prompt Injection to Credential Theft in AI coding agentsoddguan.com
- 07Prompt Injection Vulnerabilities in GitHub Actions Using AI Agentsaikido.dev
- 08Shai Hulud: SAP CAP Supply Chain Attack Via Claude Codemend.io
- 09claude-code-security-review/.claude/commands/security-review.md at main · anthropics/claude-code-security-reviewgithub.com
- 10Securing CI/CD in an agentic world: Claude Code Github action caseitsecuritynews.info
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
