Claude Code Action: Malicious MCP Server Configuration in PRs Enables Remote Code Execution and Secret Exfiltration
- When
- Where
- Global (internet)
- Category
- cyber_advisory · actions
Due to the combination of checking out PR head branches (attacker-controlled), reading `.mcp.json` from the working directory via default setting sources, and unconditionally enabling all project MCP servers via `enableAllProjectMcpServers`, it was possible for an attacker who opened a PR containing a malicious `.mcp.json` file to achieve arbitrary code execution on the GitHub Actions runner. This could lead to exfiltration of secrets available to the workflow (such as API keys and tokens) when a privileged user triggered the Claude action on the PR. Exploiting this required the ability to open a pull request against a repository using the claude-code-action and a privileged user or automatic trigger to invoke the action on that PR. Users pinned to a vulnerable version of claude-code-action are advised to update to the latest version. Users referencing anthropics/claude-code-action@v1, anthropics/claude-code-action@beta, anthropics/claude-code-action@main, or other non-pinned tags will have received this fix already Claude Code thanks hackerone.com/reptou for reporting this issue.
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-10 19:33 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.
No correlated events found in the current window. As more events arrive, connections form automatically.