GHSA-8q5r-mmjf-575q: Claude Code Action: Malicious MCP Server Configuration in PRs Enables Remote Code Execution and Secret Exfiltration
Summary
A vulnerability in Claude Code Action allowed attackers to run arbitrary code on GitHub Actions runners and steal secrets by creating a pull request with a malicious `.mcp.json` file (a configuration file that tells the system which external tools to enable). The problem occurred because the action automatically checked out the attacker's code, read the malicious configuration file, and unconditionally enabled all project MCP servers (integrations with external tools) without validation.
Solution / Mitigation
Update claude-code-action to the latest version. Users referencing anthropics/claude-code-action@v1, anthropics/claude-code-action@beta, anthropics/claude-code-action@main, or other non-pinned tags will have already received this fix.
Vulnerability Details
EPSS: 0.0%
Yes
June 10, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-8q5r-mmjf-575q
First tracked: June 10, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%