Security researchers disclose a one-click remote code execution flaw in Anthropic’s Claude Code and other leading AI coding tools, exploiting weak trust prompts and unpatched project settings that vendors dismiss as user error despite stripped safety warnings.
Adversa AI, a security research firm, has disclosed the TrustFall proof-of-concept attack, which demonstrates a one-click remote code execution (RCE) vulnerability affecting Anthropic's Claude Code, along with Google’s Gemini CLI, Cursor CLI, and GitHub Copilot CLI. The attack relies on the Model Context Protocol (MCP), a standard format that makes tools, configuration data, schemas, and documentation available to AI models via JSON files.
A cloned malicious code repository can include two JSON files, .mcp.json and .claude/settings.json, which enable an attacker-controlled MCP server. When a developer opens the cloned repository in Claude Code and clicks the generic "Yes, I trust this folder" dialog, the system spawns the malicious MCP server as an unsandboxed Node.js process with the user’s full system privileges. No per-server consent is required, and no tool call from Claude is needed to trigger the execution. The result is near-instant system compromise, with attackers able to access local files, exfiltrate data, or install malware.
The PoC works on Claude Code CLI v2.1.114, the version current as of May 2, 2026. Adversa AI notes that other agent CLIs are also affected, though specific PoCs for those tools have not been published. This is the third CVE assigned to Claude Code in six months stemming from the same root cause: project-scoped settings used as an injection vector. CVE-2025-59536, a prior related vulnerability, was patched because it triggered automatically when a user started Claude Code in a malicious directory. The TrustFall flaw is considered out of scope by Anthropic, because the user is presented with a trust dialog and makes an explicit decision to proceed.
Adversa AI argues that this decision is not made with informed consent. Prior to Claude Code CLI v2.1, the trust dialog explicitly warned users that .mcp.json files could execute code, and offered three options including "proceed with MCP servers disabled." Anthropic removed this informed-consent UX in v2.1, replacing it with a generic dialog that defaults to "Yes, I trust this folder" with no mention of MCP, no list of executables that will spawn, and no option to opt out of MCP while keeping other trust grants for the folder. Most developers are unaware that these settings exist, let alone that a cloned repository can set them silently without any visible indication.
Anthropic has not responded to requests for comment as of publication. The company’s stated position is that the user’s trust decision moves the issue outside its threat model. Adversa AI co-founder Alex Polyakov notes that each prior CVE from this root cause has been patched in isolation, but the underlying class of vulnerability has not been fixed. This leaves developers exposed to future attacks using the same project settings injection method.
A zero-click variant of the attack poses a critical risk to CI/CD pipelines that integrate Claude Code. When Claude Code is invoked via SDK in non-interactive pipeline environments, there is no terminal prompt to click. This means malicious project settings can trigger automatically, compromising build systems without any human interaction. Attackers who gain access to CI/CD pipelines can inject malicious code into production releases, steal proprietary code, or exfiltrate customer data processed by the pipeline.
This vulnerability carries significant risks under data protection regulations including the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). If a compromised developer machine or CI/CD pipeline processes personal data of EU or California residents, a resulting data breach would trigger mandatory reporting requirements and potential penalties. GDPR fines can reach up to 4% of a company’s global annual revenue or €20 million, whichever is higher, for failures to implement appropriate technical measures to protect personal data. CCPA violations carry penalties of up to $7,500 per intentional violation. Affected parties include individual developers, enterprises that deploy these AI coding tools, and end users whose personal data is handled by compromised systems. Compliance teams must assess whether their use of Claude Code and similar tools meets regulatory requirements for risk management, given that vendors are dismissing known, unpatched vulnerabilities as user error. Companies that fail to audit their tool configurations, disable dangerous project-level settings, or train developers on the risks could be found negligent in the event of a breach.
Sergey Malenkovich of Adversa AI outlines three necessary changes to mitigate the risk. First, Anthropic should block the enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow settings from being set by any settings file inside a project directory. This prevents a malicious server from approving its own execution. Second, the company should implement a dedicated MCP consent dialog that defaults to "deny" rather than granting blanket trust. Third, consent should be required per server rather than as an all-or-nothing grant for every MCP server in a project. These changes would restore informed consent for users and prevent silent execution of untrusted code.
As of May 2026, no patch has been released for the TrustFall vulnerability. Developers using Claude Code or other affected CLIs are advised to avoid cloning untrusted repositories, disable project-level MCP settings in their global configuration, and revert to pre-v2.1 versions of Claude Code if they require the explicit MCP warning dialog. Enterprises should audit their CI/CD pipelines to ensure that Claude Code is not invoked in untrusted directories, and implement sandboxing for all AI tool processes to limit the impact of potential compromises.
Comments
Please log in or register to join the discussion