Tenable Research — Claude Code GitHub Action MCP Server RCE Vulnerability

AI relevance: This vulnerability demonstrates how AI agent CI/CD pipelines introduce novel attack surfaces where malicious code can bypass traditional security controls through MCP server auto-loading mechanisms.

• Tenable researchers discovered critical remote code execution vulnerability in Anthropic's official claude-code-action GitHub Action
• Attackers can execute arbitrary commands on GitHub Actions runners with access to all workflow secrets
• Vulnerability stems from automatic MCP server loading from attacker-controlled PR branches
• The claude-code-action checks out PR head branches, making working directory attacker-controlled
• Action unconditionally sets enableAllProjectMcpServers: true in Claude Code user settings
• Default settingsSource: ["user", "project", "local"] loads configuration from project directories
• Attackers can place malicious .mcp.json files in PR branches to define custom MCP servers
• When privileged users trigger the action (e.g., via issue_comment events), malicious servers auto-start without approval
• Vulnerability fixed in claude-code-action v1.0.78 released February 2026
• Originally mis-triaged as "informative" before being properly classified as a security vulnerability

Why it matters

This vulnerability highlights the security risks in AI agent CI/CD pipelines where MCP server auto-loading mechanisms can be exploited to bypass traditional code review and security controls. The attack demonstrates how AI tooling introduces novel supply chain attack vectors where malicious configurations in PR branches can lead to full runner compromise.

What to do

• Update immediately to claude-code-action v1.0.78 or later if using the GitHub Action
• Review MCP server configurations in CI/CD pipelines and disable auto-loading from untrusted sources
• Implement branch protection rules to prevent untrusted PRs from triggering sensitive workflows
• Audit GitHub Actions permissions and ensure minimal required access for CI/CD jobs
• Monitor for suspicious MCP server activity in your AI agent deployment pipelines

Sources

• Tenable Research Advisory TRA-2026-27
• GitHub — claude-code-action repository
• Claude Code MCP Security Guidelines
• GitHub Actions Security Hardening