A malicious GitHub issue could hijack your entire repository. Security researcher RyotaK demonstrated this by finding a critical flaw in Anthropic's Claude Code GitHub Action, identifying around 50 ways to bypass its permission system.
Anthropic patched the vulnerability within four days, highlighting how AI-driven CI/CD tools introduce attack vectors that traditional security controls weren't designed to handle. If your team uses AI agents in your pipeline, you need to understand what went wrong and how to prevent it in your own workflows.
What Happened
The Claude Code GitHub Action allows AI to review code, suggest changes, and interact with repositories using natural language. The vulnerability let attackers manipulate Claude's behavior through crafted GitHub issues, turning the AI agent into a tool for unauthorized repository access.
The flaw was in how Claude Code processed user inputs from GitHub issues and comments. An attacker could craft prompts that instructed Claude to perform actions beyond its intended scope, such as reading sensitive files or modifying code. The vulnerability received a CVSS v4.0 score of 7.8, indicating high severity.
Timeline
Initial Discovery: RyotaK identified the vulnerability while analyzing AI-driven GitHub Actions for prompt injection risks.
Reporting: The researcher documented approximately 50 bypass methods and reported them to Anthropic through their security disclosure process.
Patch Deployment: Anthropic released a fix within four days, updating the Claude Code GitHub Action to implement stricter input validation and permission boundaries.
Public Disclosure: After patch verification, RyotaK published details of the vulnerability to help other teams secure similar AI integrations.
Which Controls Failed or Were Missing
Input Validation: The action lacked sufficient sanitization of user-supplied content from GitHub issues and comments, treating it as trusted instructions.
Permission Boundaries: The action operated with overly broad GitHub token permissions, allowing compromised agents access to sensitive operations.
Context Isolation: Claude Code didn't adequately separate user-provided prompts from system instructions, enabling attackers to inject commands.
Least Privilege: The GitHub token used by the action wasn't scoped to the minimum permissions required, granting excessive access.
What the Standards Require
OWASP ASVS v4.0.3 Requirement 5.2.1 mandates that applications verify all untrusted data is validated, sanitized, or escaped. AI prompts from user input qualify as untrusted data. Your CI/CD workflows must treat GitHub issue content, pull request comments, and external API responses as hostile until proven otherwise.
PCI DSS v4.0.1 Requirement 6.4.3 requires that custom code is developed securely. This extends to AI agent configurations and prompt templates. When deploying an AI action, the prompts it receives and instructions it follows must undergo security review.
NIST 800-53 Rev 5 Control AC-6 (Least Privilege) requires that processes execute with only the privileges necessary for authorized functions. Your GitHub Actions tokens should grant read-only access unless write operations are explicitly required.
ISO/IEC 27001:2022 Control 8.3 (Access Restriction) demands that access to information and assets is restricted based on business requirements. AI agents need explicit permission boundaries to prevent lateral movement even if compromised.
Lessons and Action Items for Your Team
Audit Your AI Agent Permissions: List every AI tool in your CI/CD pipeline. Document what GitHub token scopes it uses and what operations it can perform. If you can't justify write access, revoke it and test with read-only tokens.
Treat AI Prompts as Injection Surfaces: Add prompt injection to your threat model. Review how your AI integrations construct prompts from external input. Sanitize user-supplied content before inclusion in prompts sent to language models.
Implement Prompt Template Hardening: Separate system instructions from user input in AI agent configurations. Use delimiters or structured formats to prevent user content from affecting instruction context. Test templates with adversarial inputs.
Scope Tokens Per Workflow Step: Don't use a single GitHub token for an entire workflow. Create separate tokens for each action that needs repository access, scoped to the permissions required.
Log AI Agent Actions Separately: Implement logging that records the full prompt sent to AI agents, the user who triggered the workflow, and the actions attempted. This visibility is essential for detecting abuse patterns.
Test AI Workflows with Attack Scenarios: Add prompt injection test cases to your security testing process. Create GitHub issues with instruction overrides and test inputs designed to exfiltrate data. Verify your controls block these attempts.
Anthropic's quick patch response shows AI vendors can act fast when vulnerabilities surface. However, you can't rely solely on vendor patches. AI agents in your pipeline are privileged processes that need the same security rigor as service accounts and API credentials. Prompt injection is a practical attack vector that just hijacked production repositories.
