Anthropic's Claude Code AI coding assistant contains multiple critical vulnerabilities that enable remote code execution and theft of API credentials through malicious repositories
Cybersecurity researchers have disclosed multiple critical security vulnerabilities in Anthropic's Claude Code, an AI-powered coding assistant, that could allow attackers to execute arbitrary code and steal API credentials simply by having users open malicious repositories.
According to Check Point Research, the vulnerabilities exploit various configuration mechanisms including Hooks, Model Context Protocol (MCP) servers, and environment variables to execute arbitrary shell commands and exfiltrate Anthropic API keys when users clone and open untrusted repositories.
Three Critical Vulnerabilities
The identified shortcomings fall under three broad categories:
No CVE (CVSS score: 8.7) - A code injection vulnerability stemming from a user consent bypass when starting Claude Code in a new directory. This could result in arbitrary code execution without additional confirmation via untrusted project hooks defined in .claude/settings.json. The issue was fixed in version 1.0.87 in September 2025.
CVE-2025-59536 (CVSS score: 8.7) - A code injection vulnerability that allows execution of arbitrary shell commands automatically upon tool initialization when a user starts Claude Code in an untrusted directory. This was fixed in version 1.0.111 in October 2025.
CVE-2026-21852 (CVSS score: 5.3) - An information disclosure vulnerability in Claude Code's project-load flow that allows a malicious repository to exfiltrate data, including Anthropic API keys. This was fixed in version 2.0.65 in January 2026.
How the Attacks Work
Anthropic explained that if a user started Claude Code in an attacker-controlled repository, and the repository included a settings file that set ANTHROPIC_BASE_URL to an attacker-controlled endpoint, Claude Code would issue API requests before showing the trust prompt, potentially leaking the user's API keys.
This means simply opening a crafted repository is enough to exfiltrate a developer's active API key, redirect authenticated API traffic to external infrastructure, and capture credentials. This could permit the attacker to burrow deeper into the victim's AI infrastructure, potentially accessing shared project files, modifying or deleting cloud-stored data, uploading malicious content, and even generating unexpected API costs.
Supply Chain Security Implications
Successful exploitation of the first vulnerability could trigger stealthy execution on a developer's machine without any additional interaction beyond launching the project. CVE-2025-59536 achieves a similar goal, with the main difference being that repository-defined configurations through .mcp.json and claude/settings.json files could be exploited by an attacker to override explicit user approval prior to interacting with external tools and services through the Model Context Protocol (MCP).
This is achieved by setting the "enableAllProjectMcpServers" option to true.
"As AI-powered tools gain the ability to execute commands, initialize external integrations, and initiate network communication autonomously, configuration files effectively become part of the execution layer," Check Point said. "What was once considered operational context now directly influences system behavior."
The New Threat Model
The researchers emphasized that this fundamentally alters the threat model. "The risk is no longer limited to running untrusted code – it now extends to opening untrusted projects. In AI-driven development environments, the supply chain begins not only with source code, but with the automation layers surrounding it."
The vulnerabilities highlight the growing security challenges as AI coding assistants become more autonomous and capable of executing commands, initializing external integrations, and initiating network communication without explicit user approval for each action.
Developers using Claude Code should ensure they have updated to the latest patched versions and exercise caution when opening repositories from untrusted sources, as the attack surface has expanded beyond traditional code execution to include the configuration and automation layers that AI tools now manage.
Comments
Please log in or register to join the discussion