Claude Code Flaw Exposes Repositories to Compromise

Security researchers at Flatt.tech disclosed a critical supply-chain vulnerability in Anthropic's Claude Code GitHub Actions integration that a single malicious GitHub issue, pull request, or comment could exploit to compromise a repository. The vulnerability allowed an attacker to execute arbitrary commands on the runner with access to workflow secrets, including OpenID Connect tokens, by loading a malicious .mcp.json file with the enableAllProjectMcpServers setting enabled by default. Anthropic shipped a fix in Claude Code GitHub Actions v1.0.94, and the vulnerability received a CVSS severity score of 7.8.

Claude Code Flaw Exposes Repositories to Compromise Security researchers at Flatt.tech GMO Flatt Security disclosed a critical supply-chain vulnerability in Anthropic's Claude Code GitHub Actions integration that a single malicious GitHub issue, pull request, or comment could exploit to compromise a repository. According to Tenable , the action checked out the attacker-controlled PR head branch and loaded a malicious .mcp.json with enableAllProjectMcpServers on by default, starting an attacker-defined MCP server and running arbitrary commands on the runner with access to workflow secrets. Flatt.tech and The Hacker News report the chain could exfiltrate secrets, including OpenID Connect tokens, and even poison the Claude Code action's own repository to reach downstream users. SecurityWeek ties it to a cross-vendor prompt-injection pattern it calls "Comment and Control," which also affected Gemini CLI and GitHub Copilot agents. Reporting indicates a CVSS severity of 7.8 , and Anthropic shipped a fix in Claude Code GitHub Actions v1.0.94 . What happened Researchers at Flatt.tech GMO Flatt Security and others disclosed a critical supply-chain vulnerability in Anthropic's Claude Code GitHub Actions integration that could be triggered by a crafted GitHub issue, pull request title, or comment, according to Flatt.tech and GBHackers . Tenable's advisory describes the chain: in a pull-request context the action checks out the PR head branch, making the working directory attacker-controlled, then loads settings settingsSource: "user","project","local" that can include a malicious .mcp.json. Tenable says enableAllProjectMcpServers was set to true by default, letting an attacker-defined MCP server start automatically and execute arbitrary commands on the runner with access to workflow secrets. Flatt.tech showed this could be combined with a permission-validation bypass to exfiltrate secrets, including the OpenID Connect token credentials GitHub Actions uses. Reporting indicates a CVSS severity of 7.8 . Technical details The reported root causes are the PR-head checkout, a configuration load order that trusts repository-supplied settings, and the default enableAllProjectMcpServers flag, which together let attacker-controlled files start an MCP server and reach secrets Tenable . Flatt.tech and GBHackers note that example workflow defaults such as allowed non write users: widened the surface by letting external contributors trigger privileged workflows. SecurityWeek frames these as instances of a broader prompt-injection class it names "Comment and Control," in which untrusted GitHub content bypasses AI-agent guardrails to obtain credentials or run commands. Industry context Because a vulnerable action is reused across many repositories, trust is transitive: Flatt.tech notes that since the Claude Code action repository used the same workflow, an attacker could in principle alter the action's own source and affect every downstream repository that consumes it. SecurityWeek reports the same technique reaching other automation agents, including Gemini CLI and GitHub Copilot, indicating a cross-vendor class of risk rather than a single-product bug. For practitioners, workflow checkouts, configuration-load order, and default flags that auto-enable remote servers should be treated as high-risk primitives whenever untrusted input is in scope. What to watch - •Audit workflows that check out PR head branches and actions that load project- or local-scoped settings without explicit approval. - •Flag permissive defaults such as allowed non write users: or enableAllProjectMcpServers that grant execution from untrusted input. - •Review recent PR/issue activity and runner logs for injected payloads or anomalous secret access. - •Confirm your pinned action version includes the fix: Anthropic patched Claude Code GitHub Actions v1.0.94 with mitigations including blocking GitHub Apps from triggering workflows by default and tighter command-execution validation Flatt.tech; The Hacker News . Scoring Rationale This is a major supply-chain vulnerability in a CI/CD GitHub Action that can produce remote code execution and secret exfiltration; the issue maps to a broader prompt-injection class affecting multiple agent tools and therefore matters to many practitioners. Practice interview problems based on real data 1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with. Try 250 free problems /problems