Full Report
When AI meets CI/CD: permission bypasses, prompt injection, and what to do about it.
Analysis Summary
# Vulnerability: Permission Bypass and Prompt Injection in AI-Powered GitHub Actions
## CVE Details
- **CVE ID**: Not explicitly assigned in the report (Referenced as a logical/permission bypass flaw)
- **CVSS Score**: N/A (Estimated High for configurations allowing external triggers)
- **CWE**: CWE-285 (Improper Authorization), CWE-77 (Command Injection / Prompt Injection)
## Affected Systems
- **Products**:
- `anthropics/claude-code-action` (Used in 12K+ workflows)
- `openai/codex-action`
- `google-github-actions/run-gemini-cli`
- `actions/ai-inference`
- **Versions**: Versions prior to May 2024 (Specifically before the 2026-dated Wiz report disclosure fixes)
- **Configurations**: Workflows where `allow-bots` or non-default permission gates were enabled, and those triggered by `pull_request` or `issues` events.
## Vulnerability Description
Research identified a critical failure in the "security gate" implementation of popular AI GitHub Actions. The core flaw lies in **Identity Confusion**: logic used to check the "bot" status of an actor failed to distinguish between an internally installed/trusted GitHub App and an external, untrusted GitHub App.
Additionally, because these actions use Large Language Models (LLMs) to process natural language inputs (Issue/PR bodies), they are inherently susceptible to **Indirect Prompt Injection**. This allows an attacker to manipulate the AI’s output or tool usage by including malicious instructions in a PR description.
## Exploitation
- **Status**: PoC available (demonstrated by Wiz Research); widespread misconfigurations found in production.
- **Complexity**: Low (Exploitation requires only a valid GitHub account to submit a PR or Issue).
- **Attack Vector**: Network (External actor via GitHub interaction).
## Impact
- **Confidentiality**: High (AI models can be coerced into exfiltrating local credential files/secrets via dynamic tool calls).
- **Integrity**: High (Unauthorized triggers of AI execution; potential for code manipulation).
- **Availability**: Low (Resource consumption).
## Remediation
### Patches
- **anthropics/claude-code-action**: Update to the latest version where Permission logic has been refactored to verify the installation ID of the App.
- **openai/codex-action**: Update to the latest version to address the syntactical bot-check vulnerability.
### Workarounds
- **Strict Gating**: Use the default "Write Access" restriction and avoid enabling `allow-external` or `allow-bots` settings.
- **Manual Approval**: Configure GitHub environments to require manual approval for all outside collaborators.
- **Minimal Permissions**: Ensure the `GITHUB_TOKEN` in AI workflows is set to `contents: read` rather than `write` unless strictly necessary.
## Detection
- **Indicators of Compromise**:
- Unexpected activity from `[bot]` actors not associated with known organizational Apps.
- Large volumes of exfiltrated data or "Verbosity Mode" logs containing file contents in GitHub Action logs.
- **Detection methods and tools**:
- Audit workflow files for AI actions using the `pull_request_target` event (high risk).
- Use `Wiz Code` or similar SCA/SAST tools to scan for vulnerable AI action versions.
## References
- Wiz Blog: [https://www.wiz.io/blog/github-actions-security-ai-powered-actions-vulnerabilities](https://www.wiz.io/blog/github-actions-security-ai-powered-actions-vulnerabilities)
- GitHub Actions Hardening: [https://www.wiz.io/blog/github-actions-security-guide](https://www.wiz.io/blog/github-actions-security-guide)
- Claude Code Action Security: [https://adnanthekhan.com/posts/clinejection/](https://adnanthekhan.com/posts/clinejection/)