Vulnerabilities in Anthropic Claude Code Enable Code Execution and API Key Exfiltration
Security researchers disclosed multiple vulnerabilities in Anthropic’s Claude Code AI coding assistant that could enable arbitrary command execution and exfiltration of Anthropic API credentials when developers clone/open a malicious repository. Check Point Research reported the issues abuse Claude Code configuration and initialization paths—particularly project hooks (e.g., untrusted .claude/settings.json), Model Context Protocol (MCP) servers, and environment variables—to trigger shell command execution and data theft. Anthropic’s advisory for CVE-2026-21852 describes a project-load flow where a crafted repo can set ANTHROPIC_BASE_URL to an attacker-controlled endpoint, causing Claude Code to send API requests before the trust prompt is shown, potentially leaking the user’s API key.
The disclosed issues include two high-severity code-injection paths (CVSS 8.7) and one information-disclosure flaw (CVSS 5.3): a consent-bypass/hook-based injection issue fixed in Claude Code 1.0.87 (Sept 2025), CVE-2025-59536 fixed in 1.0.111 (Oct 2025), and CVE-2026-21852 fixed in 2.0.65 (Jan 2026). Separate coverage framed Anthropic-related developments as market-moving, noting investor attention around Anthropic’s AI code-security tooling; however, the actionable security impact in this reporting is the risk that simply opening an attacker-controlled repository can lead to RCE and credential leakage, reinforcing the need to treat untrusted repos and tool initialization behaviors as a supply-chain and developer-workstation risk.
Timeline
Feb 27, 2026
Public PoC repo released for Claude Code vulnerabilities
A GitHub repository was published demonstrating three previously disclosed Claude Code vulnerabilities, including hooks consent bypass, MCP server configuration injection, and API key exfiltration via base URL manipulation. The project included malicious demo configurations, an attacker server, a MITM proxy, and a scanner for detecting vulnerable repository patterns, expanding public technical detail around the flaws.
Feb 25, 2026
Anthropic's Claude Code Security launch triggers cybersecurity stock selloff
Anthropic's release of its AI-powered code security tool, Claude Code Security, reportedly prompted a short-term selloff in cybersecurity stocks. Investor Nick Davidov said the reaction did not alter his firm's long-term view that AI-generated code and agent-related risks will increase demand for security products.
Feb 25, 2026
Check Point discloses Claude Code RCE and API key theft flaws
Check Point researchers publicly disclosed multiple vulnerabilities in Anthropic's Claude Code affecting Hooks, Model Context Protocol servers, and environment variable handling. The researchers said malicious repository configuration files could be abused to execute arbitrary shell commands and leak API keys to attacker-controlled endpoints, potentially enabling follow-on access to AI infrastructure and cloud-stored data.
Feb 25, 2026
Anthropic patches multiple Claude Code vulnerabilities
Anthropic fixed several flaws in Claude Code across versions 1.0.87, 1.0.111, and 2.0.65, including CVE-2025-59536 and CVE-2026-21852. The vulnerabilities could enable remote code execution, silent tool interaction, and exfiltration of Anthropic API credentials when users opened untrusted repositories.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Critical Vulnerabilities in Anthropic Claude Code Enable RCE and API Key Theft via Malicious Repositories
**Check Point Research** disclosed multiple critical vulnerabilities in Anthropic’s *Claude Code* AI coding assistant that could allow **remote code execution** and **credential theft** when a developer clones and opens an **untrusted repository**. The reported attack path abuses repository-controlled configuration and automation features (including **Hooks**, **MCP servers**, and **environment variables**) to trigger hidden shell command execution and to exfiltrate **Anthropic API credentials**, potentially enabling a pivot from a developer workstation into broader enterprise environments where Claude-related workflows and shared resources are accessible. The issues include consent-bypass and command-execution weaknesses tracked under **CVE-2025-59536** (covering closely related flaws involving repository configuration executing commands without adequate user consent) and an API credential exposure issue tracked as **CVE-2026-21852**, which affected *Claude Code* versions prior to **2.0.65** and enabled API key theft via malicious project configurations. Anthropic has **patched** the vulnerabilities and advised users to update to the latest version, while indicating additional hardening measures are planned to reduce supply-chain risk from malicious commits and repository-level configuration abuse.
3 weeks ago
Anthropic Expands Claude’s Agentic Coding Capabilities and Adds Embedded Vulnerability Scanning
Anthropic announced **Claude Code Security**, an embedded capability in *Claude Code* that scans customer codebases for vulnerabilities and suggests patches, initially rolling out to a limited set of enterprise/team customers for testing. The company said the feature was stress-tested via internal red-teaming, Capture-the-Flag exercises, and collaboration with **Pacific Northwest National Laboratory**, and positioned it as a way to reduce reliance on manual security reviews as AI-assisted “vibe coding” increases and attackers also use AI to accelerate weakness discovery. In parallel, Anthropic released **Claude Sonnet 4.6**, emphasizing improved coding performance, stronger “computer use” capabilities, and expanded developer tooling (e.g., adaptive/extended thinking modes, beta context compaction, and API tools for web search/fetch and code execution). Separate commentary highlighted the security risk of **agentic coding assistants** (e.g., *Claude Code*, *Cursor*, *GitHub Copilot*) operating with broad privileges—file access, shell execution, and secret handling—and argued that the emerging **Model Context Protocol (MCP)** ecosystem needs stronger, future-proof identity controls; additional industry guidance promoted **MLSecOps** as a way to integrate security into AI/ML development lifecycles, though it did not report a specific incident or vulnerability.
3 weeks ago
Command Injection Flaws Expose OpenClaw and Anthropic Claude Code to RCE
Two high-severity command injection vulnerabilities have been disclosed in developer tooling and automation software, enabling arbitrary command execution through improperly sanitized shell inputs. `CVE-2026-32917` affects OpenClaw versions earlier than `2026.3.13`, where the iMessage attachment staging workflow passes unsanitized remote attachment paths directly into an SCP remote operand. If remote attachment staging is enabled, an unauthenticated attacker can use shell metacharacters in attachment paths to execute commands on configured remote hosts; the flaw is tracked as `CWE-78` and carries a CVSS v3.1 rating of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`. A separate issue, `CVE-2026-35020`, impacts Anthropic Claude Code CLI and the Claude Agent SDK, where attacker-controlled input from the `TERMINAL` environment variable can reach `/bin/sh` with `shell=true` through the command lookup helper and deep-link terminal launcher. A local attacker can exploit the bug during normal CLI use or via the deep-link handler to run arbitrary commands with the privileges of the invoking user. Both disclosures highlight continued risk from unsanitized shell metacharacters in application workflows, with OpenClaw publishing a fixing commit and security advisory alongside third-party vulnerability reporting.
3 weeks ago