Claude Code GitHub Action Exposes CI/CD Secrets

RyotaK, a security researcher at GMO Flatt Security, disclosed on June 1, 2026 a vulnerability in Anthropic's claude-code-action GitHub Action that allowed an unauthenticated external attacker to bypass repository permission checks and exfiltrate CI/CD secrets via indirect prompt injection. The core flaw: the checkWritePermissions function unconditionally trusted any GitHub actor whose name ended in [bot], on the assumption that GitHub Apps are trusted entities. Because anyone can register a GitHub App and use its installation token to open issues on public repositories, this assumption was bypassable. Anthropic fixed the permission check in claude-code-action v1.0.94. Microsoft published a complementary analysis on June 5, 2026, documenting a related /proc file access gap and attributing an additional mitigation to Claude Code v2.1.128.

With the permission bypass in place, an attacker could plant an indirect prompt injection payload in an issue body - text invisible in rendered views but read by the agent. The payload tricked Claude Code into reading /proc/self/environ, a Linux pseudo-file holding the workflow's environment variables including secrets, then writing the contents back via mcp__github__update_issue. This exposed OIDC token credentials (ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL) exchangeable for a Claude GitHub App installation token with full repository write access. Because Anthropic's own claude-code-action repository used the same vulnerable workflow, a successful attack could have injected malicious code into the action and propagated to every downstream repository.

Variants of a related misconfiguration in Anthropic's example issue-triage workflow (allowed_non_write_users: "*") were exploited in the wild before RyotaK published. Cline's GitHub Actions triage workflow was compromised on February 17, 2026, per RyotaK's disclosure timeline: an attacker stole an npm publish token and pushed an unauthorized [email protected] release. RyotaK notes he has reported approximately 50 separate ways to bypass Claude Code's permission system to Anthropic, and additional exfiltration channels existed via the gh CLI and workflow run summaries before Anthropic patched them.

Anthropic blocked GitHub Apps from triggering agent-mode workflows by default, disabled workflow run summary output (a secondary exfiltration channel), scrubbed environment variables from child processes, and added argument validation to the gh command wrapper to prevent URL-based exfiltration. The vulnerabilities were rated CVSS v4.0: 7.8 and Anthropic paid a $4,800 bounty ($3,800 plus $1,000 bonus). Teams using Claude Code GitHub Actions should audit for allowed_non_write_users settings, restrict secrets to the minimum required, and review run logs for signs of compromise.

The incident illustrates a structural challenge in agentic CI/CD: AI agents that ingest repository content as context inherit that content's trust level, and any attacker who can write content the agent reads can attempt to redirect its actions. Prompt injection in agentic workflows is an active and unresolved research area, with real supply chain consequences when agents operate with broad repository permissions.