Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration
Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration
https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html
Publish Date: 2026-02-25 12:00:00
Source Domain: thehackernews.com
Cybersecurity researchers have disclosed multiple security vulnerabilities in Anthropic’s Claude Code, an artificial intelligence (AI)-powered coding assistant, that could result in remote code execution and theft of API credentials.
“The vulnerabilities exploit various configuration mechanisms, including Hooks, Model Context Protocol (MCP) servers, and environment variables – executing arbitrary shell commands and exfiltrating Anthropic API keys when users clone and open untrusted repositories,” Check Point Research said in a report shared with The Hacker News.
The identified shortcomings fall under three broad categories –
- No CVE (CVSS score: 8.7) – A code injection vulnerability stemming from a user consent bypass when starting Claude Code in a new directory that could result in arbitrary code execution without additional confirmation via untrusted project hooks defined in .claude/settings.json. (Fixed in version 1.0.87 in September 2025)
- CVE-2025-59536 (CVSS score: 8.7) – A code injection vulnerability that allows execution of arbitrary shell commands automatically upon tool initialization when a user starts Claude Code in an untrusted directory. (Fixed in version 1.0.111 in October 2025)
- CVE-2026-21852 (CVSS score: 5.3) – An information disclosure vulnerability in Claude Code’s project-load flow that allows a malicious repository to exfiltrate data, including Anthropic API keys. (Fixed in version 2.0.65 in January 2026)
“If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPIC_BASE_URL to an attacker-controlled endpoint, Claude Code would issue API requests before showing the trust prompt, including potentially leaking the user’s API keys,” Anthropic said in an advisory for CVE-2026-21852.
In other words, simply opening a crafted repository is enough to exfiltrate a developer’s active API key, redirect…
