{"slug": "claude-code-exposes-oidc-tokens-via-github-action-flaw", "title": "Claude Code exposes OIDC tokens via GitHub Action flaw", "summary": "Microsoft Threat Intelligence identified a prompt-injection vulnerability in Anthropic's Claude Code GitHub Action that could expose CI/CD workflow secrets, according to the Microsoft Security Blog. Security researcher RyotaK of GMO Flatt Security demonstrated an exploit using a fake bot actor and prompt injection to trick Claude into reading and exfiltrating environment variables from /proc/self/environ into a GitHub issue. Anthropic patched the flaw in claude-code-action v1.0.94, assigned a CVSS v4.0 score of 7.8, and paid a $4,800 bug bounty, per The Next Web and The Hacker News.", "body_md": "# Claude Code exposes OIDC tokens via GitHub Action flaw\n\nMicrosoft Threat Intelligence identified a prompt-injection pathway in Anthropic's **Claude Code** GitHub Action that could expose workflow secrets, according to the Microsoft Security Blog. Security researcher RyotaK of GMO Flatt Security published a technical disclosure showing an exploit that used a fake bot actor and prompt injection to coax claude into reading /proc/self/environ and writing environment values back into an issue, as reported by RyotaK and summarized by The Next Web and The Hacker News. Anthropic deployed fixes in claude-code-action **v1.0.94**, assigned a **7.8** CVSS v4.0 rating, and paid a **$4,800** bounty, per The Next Web and The Hacker News. The Cloud Security Alliance paper frames this as part of a broader class of AI-powered CI/CD prompt-injection risks that can lead to credential theft and supply-chain compromise.\n\n### What happened\n\nMicrosoft Threat Intelligence documented a prompt-injection pathway in Anthropic's **Claude Code** GitHub Action that could allow an attacker to access CI/CD workflow secrets, per the Microsoft Security Blog. Security researcher RyotaK of GMO Flatt Security published a technical writeup demonstrating an exploit path that used a repository-created bot actor plus carefully crafted issue text to bypass the action's trigger checks and induce Claude to read and exfiltrate environment variables from /proc/self/environ, as described in RyotaK's disclosure and reporting by The Next Web and The Hacker News. Anthropic released mitigations and updates in claude-code-action **v1.0.94**, and according to The Next Web and The Hacker News the company rated the finding **7.8** under CVSS v4.0 and paid a **$4,800** bug bounty.\n\n### Editorial analysis - technical context\n\nThe exploit chain combines two distinct failure modes observed across AI agents embedded in CI/CD. First, agent trigger checks that implicitly trust actors whose names end in \"[bot]\" allowed a malicious actor using a self-installed GitHub App to submit content that the action treated as a legitimate input, a behavior detailed by The Next Web and The Hacker News. Second, prompt-injection techniques convert attacker-controlled repository content into executable instructions for the agent. The attacker in RyotaK's case framed an issue body as an error-recovery narrative that led claude to surface environment variables into an issue body, per the published writeup and media coverage. The critical asset exposed in this chain is the OIDC-related environment data used to request workflow identity tokens and exchange them for installation tokens with repository write privileges, a step highlighted in The Next Web reporting.\n\n### Industry context\n\nCloud Security Alliance's rapid-research note places this incident in a larger pattern where AI coding agents processing untrusted repository inputs can hold elevated privileges and become direct exfiltration vectors; the CSA document names this class of attacks and references earlier supply-chain compromises to show precedent. The CSA report also documents the \"Comment and Control\" attack class and cites prior CVEs that affected third-party Actions and supply-chain integrity. Observers in reporting and the CSA paper underscore that AI tooling in automated workflows changes the threat model: untrusted text fields (issues, PRs, comments) are now potential command paths to privileged runtime state.\n\n### What to watch\n\n- •Indicators of compromise and misconfiguration: automated workflow runs triggered by unverified \"bot\" actors, unexpected writes to issues or PRs containing environment-like output, and anomalous use of installation or OIDC tokens, as discussed in the RyotaK disclosure and media coverage.\n- •Patch adoption: updates to claude-code-action\n**v1.0.94** and vendor hardening timelines summarized by The Next Web and The Hacker News. - •Third-party Action exposure: the Cloud Security Alliance paper notes that many workflows embed third-party actions; watchers should map downstream consumption to assess blast radius.\n\n### For practitioners\n\nIndustry experience and the CSA analysis indicate that AI agents in CI/CD introduce a new, high-value attack surface where content-parsing logic can be weaponized. Observers should treat untrusted repository fields as tainted input and verify workflow triggers and least-privilege token exchange patterns when integrating agentic tools into pipelines.\n\n## Scoring Rationale\n\nThis story documents a concrete exploit path that allowed OIDC token and credential theft via an AI agent embedded in CI/CD, with demonstrated repository takeover risk and an identified patch. The incident fits a broader supply-chain trend flagged by the Cloud Security Alliance and therefore has high operational relevance for practitioners.\n\nPractice interview problems based on real data\n\n1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.\n\n[Try 250 free problems](/problems)", "url": "https://wpnews.pro/news/claude-code-exposes-oidc-tokens-via-github-action-flaw", "canonical_source": "https://letsdatascience.com/news/claude-code-exposes-oidc-tokens-via-github-action-flaw-af9221a2", "published_at": "2026-06-05 17:54:12.854999+00:00", "updated_at": "2026-06-05 17:54:15.831594+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "ai-tools", "large-language-models", "artificial-intelligence"], "entities": ["Claude Code", "Anthropic", "Microsoft Threat Intelligence", "RyotaK", "GMO Flatt Security", "The Next Web", "The Hacker News", "Cloud Security Alliance"], "alternates": {"html": "https://wpnews.pro/news/claude-code-exposes-oidc-tokens-via-github-action-flaw", "markdown": "https://wpnews.pro/news/claude-code-exposes-oidc-tokens-via-github-action-flaw.md", "text": "https://wpnews.pro/news/claude-code-exposes-oidc-tokens-via-github-action-flaw.txt", "jsonld": "https://wpnews.pro/news/claude-code-exposes-oidc-tokens-via-github-action-flaw.jsonld"}}