Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

What’s new: A vulnerability in Anthropic’s Claude Code GitHub Action allowed attackers to hijack public repositories by exploiting a flaw that permitted any user with a GitHub App to trigger the action. This flaw was reported by RyotaK of GMO Flatt Security in January 2026 and was patched within four days. The vulnerability was rated 7.8 under CVSS v4.0. The issue stemmed from a misconfiguration that allowed bots to bypass permission checks, enabling indirect prompt injection attacks that could expose sensitive environment variables and credentials.

Who’s affected

Any public repository utilizing the Claude Code GitHub Action prior to version 1.0.94 is at risk. Repositories that allow non-write users or bots to trigger the action may also be vulnerable to similar exploits.

What to do

• Update to claude-code-action v1.0.94 or later.
• Audit workflows that allow users without write access or bots to trigger Claude Code.
• Ensure that only trusted input is fed into the action, limiting exposure of sensitive data.
• Remove unnecessary tools and permissions that could be exploited for data exfiltration.

Sources

• The Hacker News