Anthropic Claude Code Action Runner Arbitrary Code Execution via Malicious MCP Server Configuration

A critical vulnerability has been identified in the Anthropic Claude Code GitHub Action, claude-code-action, enabling arbitrary code execution within CI/CD runners. The flaw arises when the action processes pull requests from attacker-controlled branches while unconditionally enabling all project MCP servers. By submitting a malicious .mcp.json configuration file, an adversary can trigger automatic server startup upon action execution by a privileged user. This compromise grants attackers access to all workflow secrets and runner environments. The severity is critical due to the potential for supply chain compromise and credential theft. Organizations utilizing this action should immediately audit their GitHub workflows, restrict pull request triggers from external forks, and disable automatic MCP server loading until patches are applied. Vendor mitigation involves updating the action to require explicit approval for project MCP servers and sanitizing configuration inputs before execution within privileged contexts.

Anthropic Claude Code Action Runner Arbitrary Code Execution via Malicious MCP Server Configuration The claude-code-action GitHub Action checks out the PR head branch when operating in a pull request context, making the working directory attacker-controlled. Combined with the action unconditionally setting 'enableAllProjectMcpServers' to 'true' in Claude Code's user settings and loading settings from project and local source by default '(settingsSource: ["user", "project", "local"])', an attacker can supply a malicious '.mcp.json' file in his PR branch. When a privileged user triggers the GitHub Action (via an 'issue_comment' event for example), the MCP server defined in the attacker-controlled configuration is automatically started without approval, resulting in arbitrary command execution in the runner with access to all workflow secrets. Rémy Marot Thu, 04/09/2026 - 05:32

A critical vulnerability has been identified in the Anthropic Claude Code GitHub Action, claude-code-action, enabling arbitrary code execution within CI/CD runners. The flaw arises when the action processes pull requests from attacker-controlled branches while unconditionally enabling all project MCP servers. By submitting a malicious .mcp.json configuration file, an adversary can trigger automatic server startup upon action execution by a privileged user. This compromise grants attackers access to all workflow secrets and runner environments. The severity is critical due to the potential for supply chain compromise and credential theft. Organizations utilizing this action should immediately audit their GitHub workflows, restrict pull request triggers from external forks, and disable automatic MCP server loading until patches are applied. Vendor mitigation involves updating the action to require explicit approval for project MCP servers and sanitizing configuration inputs before execution within privileged contexts. Anthropic Claude Code Action Runner Arbitrary Code Execution via Malicious MCP Server Configuration The claude-code-action GitHub Action checks out the PR head branch when operating in a pull request context, making the working directory attacker-controlled. Combined with the action unconditionally setting 'enableAllProjectMcpServers' to 'true' in Claude Code's user settings and loading settings from project and local source by default '(settingsSource: ["user", "project", "local"])', an attacker can supply a malicious '.mcp.json' file in his PR branch. When a privileged user triggers the GitHub Action (via an 'issue_comment' event for example), the MCP server defined in the attacker-controlled configuration is automatically started without approval, resulting in arbitrary command execution in the runner with access to all workflow secrets. Rémy Marot Thu, 04/09/2026 - 05:32 Anthropic Claude Code Action Runner Arbitrary Code Execution via Malicious MCP Server Configuration The claude-code-action GitHub Action checks out the PR head branch when operating in a pull request context, making the working directory attacker-controlled. Combined with the action unconditionally setting 'enableAllProjectMcpServers' to 'true' in Claude Code's user settings and loading settings from project and local source by default '(settingsSource: ["user", "project", "local"])', an attacker can supply a malicious '.mcp.json' file in his PR branch. When a privileged user triggers the GitHub Action (via an 'issue_comment' event for example), the MCP server defined in the attacker-controlled configuration is automatically started without approval, resulting in arbitrary command execution in the runner with access to all workflow secrets. Rémy Marot Thu, 04/09/2026 - 05:32