Vulnerability  ·  2026-07-17

Claude Code Action (GitHub Action) — Attacker-Controlled PR Content Enables MCP Config Injection and Code Execution

VulnerabilityMedium impactGlobalCVE-2026-47751
Anthropic's official GitHub Action for running Claude Code against PRs/issues did not sanitize configuration files (such as .mcp.json) from an attacker-controlled PR branch before running the CLI, allowing a malicious contributor to inject a malicious MCP server configuration that executes when the action processes their PR.
This is a supply-chain-style attack on CI/CD-integrated AI coding agents: any public repository using claude-code-action to auto-review external PRs could have its CI environment (secrets, tokens) compromised simply by a malicious pull request supplying a poisoned MCP config.
The action checked out attacker-controlled PR head branches and read .mcp.json plus other configuration files from the working directory via default setting sources, then unconditionally executed Claude Code CLI in that checked-out directory — allowing a malicious PR to plant a poisoned .mcp.json that gets loaded and executed by the action.
Claude Code Action (anthropics/claude-code-action) prior to 1.0.74
Upgrade to claude-code-action 1.0.74 or later, which restores trusted configuration from the PR's base branch before execution (restoreConfigFromBase). See GitHub commit 9ddce40de8c1ab71fb6303a125fdad0968dc1312.
Miggo Vulnerability DatabaseGitHub commit
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →