Security: Claude GitHub App accesses SSO-protected organization repositories without explicit user authorization
Security Concern
The Claude GitHub App is acting on SAML SSO-protected organization repositories even when the user never explicitly authorized the app's OAuth token for that organization.
GitHub requires OAuth tokens and GitHub Apps to be explicitly authorized for SAML SSO organizations — users must manually grant this at github.com/settings/tokens. If this authorization step is being bypassed or ignored, it represents a security vulnerability: the bot can read code, post comments, and interact with internal company PRs without the user's explicit consent.
How to reproduce
- Be a member of a GitHub organization that uses SAML SSO
- Install the Claude GitHub App on your personal account with "Only select repositories" (no company repos selected)
- The org admin has the Claude App installed at the org level
- Open a PR in a company repository
- Claude reviews the PR and posts comments — despite the user never having authorized the OAuth token for the SSO org
Expected behavior
The Claude App should not be able to act on SSO-protected repositories unless the user has explicitly authorized the OAuth token for that organization, as GitHub's SSO model requires.
Actual behavior
Claude acts on SSO-protected org repositories, bypassing the user's explicit repository selection and the expected SSO authorization boundary.
Impact
- The bot reads and comments on internal company code without user intent
- Users have no programmatic way to prevent this — the only workaround is to manually suspend the app installation via UI before opening company PRs
- This undermines the security model that SAML SSO is designed to enforce
Additional context
The PUT /app/installations/{installation_id}/suspended endpoint cannot be called with a user PAT or OAuth token (requires JWT as the App itself), making it impossible for users to automate a workaround. A user-scoped suspend/unsuspend endpoint would help as a mitigation, but the root issue is the SSO boundary not being respected.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗