Anthropic Claude Code Action Runner Arbitrary Code Execution via Malicious MCP Server Configuration

The claude-code-action GitHub Action checks out the PR head branch when operating in a pull request context, making the working directory attacker-controlled. Combined with the action unconditionally setting ‘enableAllProjectMcpServers’ to ‘true’ in Claude Code’s user settings and loading settings from project and local source by default ‘(settingsSource: [“user”, “project”, “local”])’, an attacker can supply a malicious ‘.mcp.json’ file in his PR branch.

When a privileged user triggers the GitHub Action (via an ‘issue_comment’ event for example), the MCP server defined in the attacker-controlled configuration is automatically started without approval, resulting in arbitrary command execution in the runner with access to all workflow secrets.