Skip to main content

claude-code-action CVE-2026-47751

MEDIUM
OS Command Injection (CWE-78)
2026-06-10 https://github.com/anthropics/claude-code-action GHSA-8q5r-mmjf-575q
Share

Severity by source

vuln.today AI
8.2 HIGH

Network vector (PR submission), high complexity (privileged trigger required), no attacker privileges needed to open a PR, user interaction required (maintainer must invoke action), scope changed to runner environment with full secret exfiltration (C:H) and code execution (I:H).

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 10, 2026 - 20:01 vuln.today
Analysis Generated
Jun 10, 2026 - 20:01 vuln.today

DescriptionCVE.org

Due to the combination of checking out PR head branches (attacker-controlled), reading .mcp.json from the working directory via default setting sources, and unconditionally enabling all project MCP servers via enableAllProjectMcpServers, it was possible for an attacker who opened a PR containing a malicious .mcp.json file to achieve arbitrary code execution on the GitHub Actions runner. This could lead to exfiltration of secrets available to the workflow (such as API keys and tokens) when a privileged user triggered the Claude action on the PR. Exploiting this required the ability to open a pull request against a repository using the claude-code-action and a privileged user or automatic trigger to invoke the action on that PR.

Users pinned to a vulnerable version of claude-code-action are advised to update to the latest version. Users referencing anthropics/claude-code-action@v1, anthropics/claude-code-action@beta, anthropics/claude-code-action@main, or other non-pinned tags will have received this fix already

Claude Code thanks hackerone.com/reptou for reporting this issue.

AnalysisAI

Malicious MCP server configuration injection via pull requests enables remote code execution on GitHub Actions runners running anthropics/claude-code-action versions prior to 1.0.74. The action's combination of checking out attacker-controlled PR head branches, reading .mcp.json from the working directory by default, and unconditionally enabling all discovered project MCP servers creates a poisoned pipeline execution path - an attacker who can open a PR can plant a malicious .mcp.json that executes arbitrary commands once a privileged user or automated trigger invokes the Claude action against that PR. Successful exploitation results in full secret exfiltration from the workflow environment, including API keys and tokens accessible to the runner. No public exploit identified at time of analysis; the fix was disclosed via GitHub Security Advisory GHSA-8q5r-mmjf-575q and patched in version 1.0.74.

Technical ContextAI

The Model Context Protocol (MCP) is an Anthropic-defined extension mechanism allowing Claude to interact with external tools and services via configurable server definitions. The claude-code-action GitHub Action integrates Claude into CI/CD workflows and, prior to 1.0.74, sourced MCP server configuration from .mcp.json files in the working directory as part of its default settings-loading behavior. The enableAllProjectMcpServers flag caused every server listed in that file to be started unconditionally without any trust boundary or allowlist check. Because GitHub Actions workflows that operate on pull requests check out the PR's head branch - which is fully attacker-controlled - the working directory contains whatever files the PR author committed, including a crafted .mcp.json. This constitutes a Poisoned Pipeline Execution (PPE) pattern, classified under CWE-78 (OS Command Injection): external, untrusted input (the PR's file contents) is incorporated into a command-execution context without sanitization or trust validation, leading to arbitrary code execution in the runner's shell environment. The affected package is identified as pkg:actions/anthropics_claude-code-action, versions < 1.0.74.

RemediationAI

The primary fix is to upgrade to anthropics/claude-code-action@v1.0.74 or later. Users already referencing floating tags (@v1, @beta, @main) have received the patch automatically per the vendor advisory at https://github.com/anthropics/claude-code-action/security/advisories/GHSA-8q5r-mmjf-575q. Users pinned to a specific SHA or version tag below 1.0.74 must update their workflow YAML references immediately. As an interim compensating control before patching, consider restricting the workflow trigger so the Claude action only executes on PRs from trusted contributors (e.g., using if: github.event.pull_request.head.repo.full_name == github.repository to exclude forks), though this limits the intended automation value. Alternatively, disable the action entirely for external PRs until upgraded. Do not rely on manual reviewer diligence alone - the malicious .mcp.json may not be visually obvious in a PR diff, particularly in large changesets.

Share

CVE-2026-47751 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy