Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration

Source: The Hacker News

Cybersecurity researchers have disclosed multiple security vulnerabilities in Anthropic’s Claude Code, an AI‑powered coding assistant, that could result in remote code execution and theft of API credentials.

“The vulnerabilities exploit various configuration mechanisms, including Hooks, Model Context Protocol (MCP) servers, and environment variables – executing arbitrary shell commands and exfiltrating Anthropic API keys when users clone and open untrusted repositories,” — Check Point Research, as cited by The Hacker News.

Vulnerabilities

The identified shortcomings fall under three broad categories:

• No CVE – A code injection vulnerability stemming from a user‑consent bypass when starting Claude Code in a new directory. It can result in arbitrary code execution without additional confirmation via untrusted project hooks defined in .claude/settings.json. (Fixed in version 1.0.87, September 2025) – Details (CVSS 8.7)

• CVE‑2025‑59536 – A code injection vulnerability that allows execution of arbitrary shell commands automatically upon tool initialization when a user starts Claude Code in an untrusted directory. (Fixed in version 1.0.111, October 2025) – Details (CVSS 8.7)

• CVE‑2026‑21852 – An information‑disclosure vulnerability in Claude Code’s project‑load flow that allows a malicious repository to exfiltrate data, including Anthropic API keys. (Fixed in version 2.0.65, January 2026) – Details (CVSS 5.3)

Impact and Exploitation

If a user starts Claude Code in a repository controlled by an attacker, a malicious settings file can set ANTHROPIC_BASE_URL to an attacker‑controlled endpoint. Claude Code will issue API requests before showing the trust prompt, potentially leaking the user’s API keys.

Opening a crafted repository is therefore sufficient to:

• Exfiltrate a developer’s active API key.
• Redirect authenticated API traffic to external infrastructure.
• Capture credentials that enable deeper intrusion into the victim’s AI environment.

Consequences may include:

• Accessing shared project files.
• Modifying or deleting cloud‑stored data.
• Uploading malicious content.
• Generating unexpected API costs.

The first vulnerability can trigger stealthy execution on a developer’s machine with no interaction beyond launching the project. CVE‑2025‑59536 achieves a similar outcome, but exploits repository‑defined configurations (.mcp.json and claude/settings.json) to override explicit user approval before interacting with external tools via the Model Context Protocol (MCP). This is done by setting the [enableAllProjectMcpServers](https://code.claude.com/docs/en/settings) option to true.

“As AI‑powered tools gain the ability to execute commands, initialize external integrations, and initiate network communication autonomously, configuration files effectively become part of the execution layer,” — Check Point. “What was once considered operational context now directly influences system behavior.”

“This fundamentally alters the threat model. The risk is no longer limited to running untrusted code – it now extends to opening untrusted projects. In AI‑driven development environments, the supply chain begins not only with source code, but with the automation layers surrounding it.”

References

• Check Point Research report: https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/
• The Hacker News article: https://thehackernews.uk/ztw-hands-on-d
• Anthropic advisory for CVE‑2026‑21852: https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7
• Hooks guide: https://code.claude.com/docs/en/hooks-guide
• Settings documentation: https://code.claude.com/docs/en/settings