CVE-2026-47751: Claude Code Action: RCE via malicious PR .mcp.json config

MEDIUM
Published July 16, 2026
CISO Take

Claude Code Action, the GitHub Action that runs Claude Code against pull requests and issues, checked out attacker-controlled PR head branches and then unconditionally loaded and enabled all MCP servers defined in that branch's .mcp.json — meaning any external contributor could open a PR containing a malicious MCP server definition and get arbitrary code execution on the Actions runner the moment a privileged user or automated trigger invoked the Claude action on that PR. The blast radius is anything the workflow's secrets can touch — API keys, cloud credentials, deployment tokens, npm/PyPI publish tokens — making this a direct path to CI/CD secret exfiltration and downstream supply-chain compromise, not just an isolated code-execution bug. There is no CISA KEV listing, no public exploit or Nuclei template, and severity is rated medium, but the attack requires nothing beyond opening a public PR — no privileges, no social engineering beyond getting the bot triggered — a very low bar for repos that run this action on externally-contributed PRs. Upgrade Claude Code Action to 1.0.74 or later immediately, which restores .claude/ and .mcp.json from the PR's base branch before the CLI runs so PR-supplied MCP config can no longer override trusted config; until patched, disable automatic Claude Code Action triggers on PRs from forks/external contributors and audit workflow run logs for recent invocations against untrusted PRs for signs of secret access or unexpected outbound calls from MCP server processes.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Exploitability is high in terms of attacker effort (a public GitHub PR with a crafted .mcp.json is trivial to produce and requires no authentication or elevated access), but impact realization depends on the victim repo's CI configuration: it only triggers when a privileged user or automated workflow rule invokes the Claude action on that PR. Impact is severe when triggered — full arbitrary code execution on the Actions runner plus exposure of every secret injected into that workflow (cloud keys, publish tokens, deployment credentials), which can cascade into a broader supply-chain compromise of downstream artifacts. No active exploitation, KEV listing, or public PoC exists as of publication, and the vendor-assigned severity is medium, but the combination of zero-privilege attacker entry and unconditional trust in PR-controlled configuration files makes this a classic CI/CD supply-chain vulnerability that merits prompt patching over waiting for a raised severity score.

How does the attack unfold?

Initial Access
Attacker opens a public pull request containing a crafted .mcp.json defining a malicious MCP server.
AML.T0011.002
Trigger
A privileged user or automated workflow rule invokes Claude Code Action on the malicious PR, causing the action to check out the PR head branch.
AML.T0081
Execution
The action reads .mcp.json from the untrusted branch and, with enableAllProjectMcpServers on, starts the attacker's MCP server, granting it code execution on the runner.
AML.T0053
Impact
The malicious MCP server exfiltrates workflow secrets (API keys, deployment tokens) and/or performs further actions with the runner's privileges, enabling downstream supply-chain compromise.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Claude Code npm No patch
137.5K Pushed 5d ago 70% patched ~2d to patch Full package profile →

Do you use Claude Code? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

1 step
  1. Upgrade claude-code-action to v1.0.74 or later, which restores .claude/ and .mcp.json from the PR base branch (trusted) rather than the PR head branch (attacker-controlled) before invoking the CLI. Until upgraded, restrict or disable Claude Code Action triggers (e.g., PR-comment or auto-run triggers) on pull requests originating from forks or external/first-time contributors, and require manual maintainer approval before the action runs on such PRs. Audit GitHub Actions workflow secrets scoped to jobs that invoke Claude Code Action and rotate any credentials that were exposed to workflow runs on untrusted PRs before the patch was applied. Review Actions run logs for the affected repos for unexpected MCP server startup, outbound network connections, or command execution originating from PR-triggered Claude Code Action runs prior to upgrading.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system development lifecycle security
NIST AI RMF
MANAGE 4.1 - Third-party AI system risks are monitored and managed
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-47751?

Claude Code Action, the GitHub Action that runs Claude Code against pull requests and issues, checked out attacker-controlled PR head branches and then unconditionally loaded and enabled all MCP servers defined in that branch's .mcp.json — meaning any external contributor could open a PR containing a malicious MCP server definition and get arbitrary code execution on the Actions runner the moment a privileged user or automated trigger invoked the Claude action on that PR. The blast radius is anything the workflow's secrets can touch — API keys, cloud credentials, deployment tokens, npm/PyPI publish tokens — making this a direct path to CI/CD secret exfiltration and downstream supply-chain compromise, not just an isolated code-execution bug. There is no CISA KEV listing, no public exploit or Nuclei template, and severity is rated medium, but the attack requires nothing beyond opening a public PR — no privileges, no social engineering beyond getting the bot triggered — a very low bar for repos that run this action on externally-contributed PRs. Upgrade Claude Code Action to 1.0.74 or later immediately, which restores .claude/ and .mcp.json from the PR's base branch before the CLI runs so PR-supplied MCP config can no longer override trusted config; until patched, disable automatic Claude Code Action triggers on PRs from forks/external contributors and audit workflow run logs for recent invocations against untrusted PRs for signs of secret access or unexpected outbound calls from MCP server processes.

Is CVE-2026-47751 actively exploited?

No confirmed active exploitation of CVE-2026-47751 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-47751?

Upgrade claude-code-action to v1.0.74 or later, which restores .claude/ and .mcp.json from the PR base branch (trusted) rather than the PR head branch (attacker-controlled) before invoking the CLI. Until upgraded, restrict or disable Claude Code Action triggers (e.g., PR-comment or auto-run triggers) on pull requests originating from forks or external/first-time contributors, and require manual maintainer approval before the action runs on such PRs. Audit GitHub Actions workflow secrets scoped to jobs that invoke Claude Code Action and rotate any credentials that were exposed to workflow runs on untrusted PRs before the patch was applied. Review Actions run logs for the affected repos for unexpected MCP server startup, outbound network connections, or command execution originating from PR-triggered Claude Code Action runs prior to upgrading.

What systems are affected by CVE-2026-47751?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, CI/CD automation pipelines, AI coding agents / developer tooling.

What is the CVSS score for CVE-2026-47751?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksCI/CD automation pipelinesAI coding agents / developer tooling

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool
AML.T0011.002 Poisoned AI Agent Tool
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE 4.1
OWASP LLM Top 10: LLM03:2025, LLM06:2025

What are the technical details?

Original Advisory

Claude Code Action is a general-purpose GitHub action that runs Claude Code on GitHub pull requests and issues. Prior to 1.0.74, because the action checked out attacker-controlled pull request head branches, read .mcp.json from the working directory via default setting sources, and unconditionally enabled all project MCP servers via enableAllProjectMcpServers, an attacker who opened a pull request containing a malicious .mcp.json file could achieve arbitrary code execution on the GitHub Actions runner and exfiltrate secrets available to the workflow (such as API keys and tokens) when a privileged user or an automatic trigger invoked the Claude action on the pull request. This issue is fixed in version 1.0.74, which restores .claude/ and .mcp.json from the pull request base branch before the CLI runs.

Exploitation Scenario

An external contributor forks a public repository that uses Claude Code Action for automated PR triage and opens a pull request containing a crafted .mcp.json defining a malicious MCP server (for example, one that shells out to download and execute a payload, or that exfiltrates environment variables to an attacker-controlled endpoint). A maintainer or an automatic trigger rule invokes the Claude action on the PR (e.g., via a review-request label or a scheduled triage job); the action checks out the PR's head branch, reads the attacker's .mcp.json, and — because enableAllProjectMcpServers was on by default — starts the malicious MCP server with the same permissions and secrets available to the GitHub Actions runner. The attacker's tool executes arbitrary commands on the runner and exfiltrates CI secrets (API keys, deployment tokens) to an external endpoint, potentially enabling further supply-chain compromise of published artifacts or downstream systems.

Weaknesses (CWE)

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

Timeline

Published
July 16, 2026
Last Modified
July 16, 2026
First Seen
July 16, 2026

Related Vulnerabilities