A critical vulnerability in Anthropic's Claude Code GitHub Action allowed unauthenticated attackers to steal CI/CD secrets and OIDC tokens through a prompt injection chain, potentially compromising entire software supply chains. Security researcher RyotaK of GMO Flatt Security disclosed the flaw, which Anthropic rated as 7.8 severity under CVSS v4.0 and patched in version 1.0.94 after a responsible disclosure process.

How Did the Attack Work?

The exploit combined two separate failures in the action's design. First, the checkWritePermissions function unconditionally trusted any actor whose username ended in "[bot]", a pattern that GitHub Apps use by default. Because GitHub Apps have implicit read access to public repositories and can open issues or pull requests using only an installation token, an attacker could register a malicious app and bypass the permission check entirely.

Second, Anthropic's example workflows used a wildcard permission setting (allowed_non_write_users: "*") paired with issues: write permissions and a second workflow holding id-token: write. This combination let an attacker chain the two workflows together, capture a token from Claude's publicly visible run summary, then edit an issue to inject instructions into the tag-mode workflow.

The most dangerous part of the attack targeted the ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL environment variables. These are the credentials GitHub Actions uses to request an OIDC (OpenID Connect) token from GitHub's infrastructure. Claude Code uses that OIDC token to obtain a privileged Claude GitHub App installation token from Anthropic's backend. With the exfiltrated values, an attacker could replay the entire exchange and obtain a token with write access to repository contents, issues, pull requests, and workflows.

Why Should Developers Care About This Flaw?

This vulnerability sits at the intersection of two growing security challenges in software development: AI agents integrated into continuous integration and continuous deployment (CI/CD) pipelines, and prompt injection attacks that can turn user-controlled input into commands. The Cloud Security Alliance's research notes that this incident belongs to a broader class of risks affecting multiple AI coding agents wired into CI/CD systems, including GitHub Copilot Coding Agent, Google Gemini CLI, and Claude Code.

Researchers have documented a pattern called "Comment and Control" that generalizes this idea: untrusted issue, pull request, and comment text becomes a command path to privileged runtime state. This means any AI agent that reads and acts on repository comments, issues, or pull requests could potentially be manipulated into exposing secrets or executing unintended actions.

How to Secure Your AI Agent Deployments in CI/CD

• Treat Input as Untrusted: Issue, pull request, and comment fields should be treated as tainted input when an agent can act on them. Never assume that text in these fields is safe or comes from a trusted source.
• Audit Workflow Permissions: Review your workflow triggers carefully and avoid wildcard allow-lists such as allowed_non_write_users: "*". Separate id-token: write jobs from agent jobs to limit the blast radius if one is compromised.
• Update and Review Token Scoping: Update to claude-code-action v1.0.94 or later and review the least-privilege scoping of both installation tokens and OIDC token exchange. Only grant agents the minimum permissions they need to function.

RyotaK reported the vulnerability to Anthropic in January, and the company fixed the core bypass within four days, demonstrating a responsible disclosure process. Anthropic paid a 4,800 dollar bug bounty for the discovery and continued hardening the action through the spring before the public disclosure.

The incident highlights a critical challenge as AI coding agents become more powerful and autonomous: they need enough access to be useful, but that same access can become a liability if the agent is compromised or manipulated. Organizations running AI agents in CI/CD pipelines should treat them as high-risk infrastructure and apply the same security rigor they would to any other system with write access to production code.