Claude Code GitHub Action bot trigger bypass security flaw
Vulnerability
Summary
Hide ▲
Show ▼
Anthropic's Claude Code GitHub Action had a trigger-check bypass that let a malicious GitHub issue escalate into repository takeover for vulnerable public repositories. The flaw also enabled secret extraction from CI/CD workflows that trusted the action's access model. Anthropic shipped a fix in claude-code-action v1.0.94 after the report in January 2026.
Related Happenings
Ghostcommit PNG-embedded prompt injection against AI code reviewers
Technical Analysis
H score25
First: 11.07.2026 12:03
Last: 11.07.2026 12:03
Sources 1
About this happening:
Researchers demonstrated Ghostcommit, a PNG-embedded prompt-injection technique that can bypass AI code review and leak .env secrets into committed source. The pay...
Ghostcommit PNG-embedded prompt injection against AI code reviewers
Technical AnalysisAbout this happening: Researchers demonstrated Ghostcommit, a PNG-embedded prompt-injection technique that can bypass AI code review and leak .env secrets into committed source. The pay...
AI coding assistants GhostApproval symlink security flaw
Vulnerability
H score22
First: 09.07.2026 07:27
Last: 09.07.2026 07:27
Sources 1
About this happening:
A July 8 disclosure identified GhostApproval, a symlink flaw in six AI coding assistants that can redirect approved writes into ~/.ssh/authorized_keys or ~/....
AI coding assistants GhostApproval symlink security flaw
VulnerabilityAbout this happening: A July 8 disclosure identified GhostApproval, a symlink flaw in six AI coding assistants that can redirect approved writes into ~/.ssh/authorized_keys or ~/....
Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files
Technical Analysis
H score22
First: 08.07.2026 14:21
Last: 08.07.2026 14:21
Sources 1
About this happening:
Researchers demonstrated a workflow-level jailbreak against GitHub Copilot Chat that caused harmful answers to be written inside code tasks even when direct chat prompts w...
Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files
Technical AnalysisAbout this happening: Researchers demonstrated a workflow-level jailbreak against GitHub Copilot Chat that caused harmful answers to be written inside code tasks even when direct chat prompts w...
GitHub Agentic Workflows indirect prompt injection security flaw
Vulnerability
H score27
First: 07.07.2026 17:04
Last: 07.07.2026 17:04
Sources 1
About this happening:
GitHub Agentic Workflows has an indirect prompt injection flaw that can let a public issue leak content from private repositories into public comments. The risk is...
GitHub Agentic Workflows indirect prompt injection security flaw
VulnerabilityAbout this happening: GitHub Agentic Workflows has an indirect prompt injection flaw that can let a public issue leak content from private repositories into public comments. The risk is...
CI/CD pull-request privilege-escalation flaw (Cordyceps)
Vulnerability
H score32
First: 24.06.2026 15:48
Last: 24.06.2026 15:48
Sources 1
About this happening:
Cordyceps exposed a CI/CD workflow privilege-escalation flaw in pull-request automation that let unauthenticated users hijack privileged workflows and reach open-s...
CI/CD pull-request privilege-escalation flaw (Cordyceps)
VulnerabilityAbout this happening: Cordyceps exposed a CI/CD workflow privilege-escalation flaw in pull-request automation that let unauthenticated users hijack privileged workflows and reach open-s...
Timeline
-
04.06.2026 18:15 2 articles · 1mo ago
Claude Code GitHub Action trigger bypass lets public repositories be hijacked
Initial DisclosureRyotaK of GMO Flatt Security disclosed that Anthropic's Claude Code GitHub Action accepted a single opened GitHub issue as a trigger path on vulnerable public repositories, enabling indirect prompt injection to steal workflow secrets and reach write access. Anthropic said it fixed the core bypass within four days after the January 2026 report, continued hardening through the spring, and shipped the fixes in claude-code-action v1.0.94; the issue was rated 7.8 under CVSS v4.0 and a bug bounty was paid.
Show sources
- Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories — thehackernews.com — 04.06.2026 18:15
- Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories — thehackernews.com — 04.06.2026 18:15