CVE-2026-47751: Claude Code Action: RCE via malicious PR .mcp.json config
MEDIUMClaude Code Action, the GitHub Action that runs Claude Code against pull requests and issues, checked out attacker-controlled PR head branches and then unconditionally loaded and enabled all MCP servers defined in that branch's .mcp.json — meaning any external contributor could open a PR containing a malicious MCP server definition and get arbitrary code execution on the Actions runner the moment a privileged user or automated trigger invoked the Claude action on that PR. The blast radius is anything the workflow's secrets can touch — API keys, cloud credentials, deployment tokens, npm/PyPI publish tokens — making this a direct path to CI/CD secret exfiltration and downstream supply-chain compromise, not just an isolated code-execution bug. There is no CISA KEV listing, no public exploit or Nuclei template, and severity is rated medium, but the attack requires nothing beyond opening a public PR — no privileges, no social engineering beyond getting the bot triggered — a very low bar for repos that run this action on externally-contributed PRs. Upgrade Claude Code Action to 1.0.74 or later immediately, which restores .claude/ and .mcp.json from the PR's base branch before the CLI runs so PR-supplied MCP config can no longer override trusted config; until patched, disable automatic Claude Code Action triggers on PRs from forks/external contributors and audit workflow run logs for recent invocations against untrusted PRs for signs of secret access or unexpected outbound calls from MCP server processes.
What is the risk?
Exploitability is high in terms of attacker effort (a public GitHub PR with a crafted .mcp.json is trivial to produce and requires no authentication or elevated access), but impact realization depends on the victim repo's CI configuration: it only triggers when a privileged user or automated workflow rule invokes the Claude action on that PR. Impact is severe when triggered — full arbitrary code execution on the Actions runner plus exposure of every secret injected into that workflow (cloud keys, publish tokens, deployment credentials), which can cascade into a broader supply-chain compromise of downstream artifacts. No active exploitation, KEV listing, or public PoC exists as of publication, and the vendor-assigned severity is medium, but the combination of zero-privilege attacker entry and unconditional trust in PR-controlled configuration files makes this a classic CI/CD supply-chain vulnerability that merits prompt patching over waiting for a raised severity score.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Claude Code | npm | — | No patch |
Do you use Claude Code? You're affected.
How severe is it?
What should I do?
1 step-
Upgrade claude-code-action to v1.0.74 or later, which restores .claude/ and .mcp.json from the PR base branch (trusted) rather than the PR head branch (attacker-controlled) before invoking the CLI. Until upgraded, restrict or disable Claude Code Action triggers (e.g., PR-comment or auto-run triggers) on pull requests originating from forks or external/first-time contributors, and require manual maintainer approval before the action runs on such PRs. Audit GitHub Actions workflow secrets scoped to jobs that invoke Claude Code Action and rotate any credentials that were exposed to workflow runs on untrusted PRs before the patch was applied. Review Actions run logs for the affected repos for unexpected MCP server startup, outbound network connections, or command execution originating from PR-triggered Claude Code Action runs prior to upgrading.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-47751?
Claude Code Action, the GitHub Action that runs Claude Code against pull requests and issues, checked out attacker-controlled PR head branches and then unconditionally loaded and enabled all MCP servers defined in that branch's .mcp.json — meaning any external contributor could open a PR containing a malicious MCP server definition and get arbitrary code execution on the Actions runner the moment a privileged user or automated trigger invoked the Claude action on that PR. The blast radius is anything the workflow's secrets can touch — API keys, cloud credentials, deployment tokens, npm/PyPI publish tokens — making this a direct path to CI/CD secret exfiltration and downstream supply-chain compromise, not just an isolated code-execution bug. There is no CISA KEV listing, no public exploit or Nuclei template, and severity is rated medium, but the attack requires nothing beyond opening a public PR — no privileges, no social engineering beyond getting the bot triggered — a very low bar for repos that run this action on externally-contributed PRs. Upgrade Claude Code Action to 1.0.74 or later immediately, which restores .claude/ and .mcp.json from the PR's base branch before the CLI runs so PR-supplied MCP config can no longer override trusted config; until patched, disable automatic Claude Code Action triggers on PRs from forks/external contributors and audit workflow run logs for recent invocations against untrusted PRs for signs of secret access or unexpected outbound calls from MCP server processes.
Is CVE-2026-47751 actively exploited?
No confirmed active exploitation of CVE-2026-47751 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-47751?
Upgrade claude-code-action to v1.0.74 or later, which restores .claude/ and .mcp.json from the PR base branch (trusted) rather than the PR head branch (attacker-controlled) before invoking the CLI. Until upgraded, restrict or disable Claude Code Action triggers (e.g., PR-comment or auto-run triggers) on pull requests originating from forks or external/first-time contributors, and require manual maintainer approval before the action runs on such PRs. Audit GitHub Actions workflow secrets scoped to jobs that invoke Claude Code Action and rotate any credentials that were exposed to workflow runs on untrusted PRs before the patch was applied. Review Actions run logs for the affected repos for unexpected MCP server startup, outbound network connections, or command execution originating from PR-triggered Claude Code Action runs prior to upgrading.
What systems are affected by CVE-2026-47751?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, CI/CD automation pipelines, AI coding agents / developer tooling.
What is the CVSS score for CVE-2026-47751?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0011.002 Poisoned AI Agent Tool AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation AML.T0081 Modify AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
Claude Code Action is a general-purpose GitHub action that runs Claude Code on GitHub pull requests and issues. Prior to 1.0.74, because the action checked out attacker-controlled pull request head branches, read .mcp.json from the working directory via default setting sources, and unconditionally enabled all project MCP servers via enableAllProjectMcpServers, an attacker who opened a pull request containing a malicious .mcp.json file could achieve arbitrary code execution on the GitHub Actions runner and exfiltrate secrets available to the workflow (such as API keys and tokens) when a privileged user or an automatic trigger invoked the Claude action on the pull request. This issue is fixed in version 1.0.74, which restores .claude/ and .mcp.json from the pull request base branch before the CLI runs.
Exploitation Scenario
An external contributor forks a public repository that uses Claude Code Action for automated PR triage and opens a pull request containing a crafted .mcp.json defining a malicious MCP server (for example, one that shells out to download and execute a payload, or that exfiltrates environment variables to an attacker-controlled endpoint). A maintainer or an automatic trigger rule invokes the Claude action on the PR (e.g., via a review-request label or a scheduled triage job); the action checks out the PR's head branch, reads the attacker's .mcp.json, and — because enableAllProjectMcpServers was on by default — starts the malicious MCP server with the same permissions and secrets available to the GitHub Actions runner. The attacker's tool executes arbitrary commands on the runner and exfiltrates CI secrets (API keys, deployment tokens) to an external endpoint, potentially enabling further supply-chain compromise of published artifacts or downstream systems.
Weaknesses (CWE)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
References
- github.com/anthropics/claude-code-action/commit/9ddce40de8c1ab71fb6303a125fdad0968dc1312 x_refsource_MISC
- github.com/anthropics/claude-code-action/pull/1066 x_refsource_MISC
- github.com/anthropics/claude-code-action/releases/tag/v1.0.74 x_refsource_MISC
- github.com/anthropics/claude-code-action/security/advisories/GHSA-8q5r-mmjf-575q x_refsource_CONFIRM
Timeline
Related Vulnerabilities
CVE-2026-2611 9.6 MLflow: cross-origin bypass enables RCE via AI agent
Same package: claude-code CVE-2026-7574 8.7 Claude Desktop: VM integrity bypass enables RCE
Same package: claude-code CVE-2026-35020 8.4 Claude Code CLI: OS command injection via TERMINAL env
Same package: claude-code CVE-2026-49471 8.3 Serena: unauth dashboard API enables RCE via memory poisoning
Same package: claude-code CVE-2026-44246 7.2 nnU-Net: prompt injection hijacks CI/CD triage agent
Same package: claude-code