CVE-2026-47751 in claude-code-actioninfo

Summary

by MITRE • 07/16/2026

Claude Code Action is a general-purpose GitHub action that runs Claude Code on GitHub pull requests and issues. Prior to 1.0.74, because the action checked out attacker-controlled pull request head branches, read .mcp.json from the working directory via default setting sources, and unconditionally enabled all project MCP servers via enableAllProjectMcpServers, an attacker who opened a pull request containing a malicious .mcp.json file could achieve arbitrary code execution on the GitHub Actions runner and exfiltrate secrets available to the workflow (such as API keys and tokens) when a privileged user or an automatic trigger invoked the Claude action on the pull request. This issue is fixed in version 1.0.74, which restores .claude/ and .mcp.json from the pull request base branch before the CLI runs.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability in Claude Code Action represents a critical security flaw that enables arbitrary code execution through a carefully crafted malicious file within a pull request. This issue affects versions prior to 1.0.74 where the action's behavior creates an attack vector by checking out attacker-controlled content from the pull request head branch, which then gets processed without proper sanitization or validation. The vulnerability stems from the action's default configuration that reads .mcp.json files from the working directory, combined with unconditional enabling of all project MCP servers through enableAllProjectMcpServers parameter.

The technical exploitation occurs when an attacker creates a malicious .mcp.json file within their pull request that contains crafted commands or configurations designed to execute arbitrary code on the GitHub Actions runner. This vulnerability maps directly to CWE-434, which describes insecure upload of code or content, and also aligns with ATT&CK technique T1059.001 for command and scripting interpreter. The flaw exists in the action's trust model where it assumes that files within a pull request are safe and does not validate or sanitize inputs before processing them. When a privileged user reviews or automatically triggers the workflow, the malicious .mcp.json file gets processed by the Claude Code CLI, which then executes commands on the runner with the same privileges as the GitHub Actions environment.

The operational impact of this vulnerability is severe as it allows attackers to execute arbitrary code with access to all secrets available within the GitHub Actions workflow context. These secrets can include API keys, tokens, credentials, and other sensitive information that the workflow has access to during execution. The attack chain begins when an attacker opens a pull request containing the malicious .mcp.json file, then waits for a privileged user or automated trigger to invoke the Claude Code action on their pull request. Upon execution, the runner processes the attacker-controlled configuration and executes commands that can exfiltrate secrets, establish persistent access, or perform other malicious activities. The vulnerability is particularly dangerous because it can be triggered automatically through various workflows and does not require direct access to the repository.

The fix implemented in version 1.0.74 addresses this vulnerability by restoring .claude/ and .mcp.json files from the pull request base branch before the CLI executes, effectively preventing attackers from injecting malicious configurations through their pull request content. This mitigation strategy follows the principle of least privilege by ensuring that only validated configuration files from the base branch are used during execution. The solution aligns with security best practices for GitHub Actions workflows and prevents the insecure file processing that enabled the arbitrary code execution. By restoring configuration files from a trusted source, the action eliminates the attack surface where malicious .mcp.json files could be processed and executed on the runner. This fix represents a defensive programming approach that validates inputs by using reference configurations from the base branch rather than allowing potentially malicious content from the head branch to influence execution behavior. The implementation effectively closes the vulnerability while maintaining the intended functionality of the Claude Code Action.

Responsible

GitHub M

Reservation

05/20/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!