Full Report
By Aviv Donenfeld and Oded Vanunu Executive Summary Check Point Research has discovered critical vulnerabilities in Anthropic’s Claude Code that allow attackers to achieve remote code execution and steal API credentials through malicious project configurations. The vulnerabilities exploit various configuration mechanisms including Hooks, Model Context Protocol (MCP) servers, and environment variables -executing arbitrary shell commands […] The post Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 appeared first on Check Point Research.
Analysis Summary
# Vulnerability: RCE and API Token Exfiltration in Claude Code
## CVE Details
- **CVE ID:** CVE-2025-59536 and CVE-2026-21852
- **CVSS Score:** Critical (Specific numerical scores not provided in text, but categorized as critical RCE)
- **CWE:** CWE-94 (Improper Control of Generation of Code / Code Injection)
## Affected Systems
- **Products:** Anthropic Claude Code (Command-line interface AI agent)
- **Versions:** All versions prior to the patches released in late February 2026.
- **Configurations:** Systems where a user clones and opens an untrusted repository containing a malicious `.claude/settings.json` file or specific project-level configuration hooks.
## Vulnerability Description
The vulnerabilities exist in how Claude Code processes project-level configuration files. Anthropic’s "Hooks" feature and "Model Context Protocol (MCP)" server configurations allowed user-defined commands to be stored in the repository within the `.claude/` directory.
- **CVE-2025-59536:** Relates to the exploitation of "Hooks" (pre-defined triggers) and MCP server configurations that execute arbitrary shell commands when the CLI tool interacts with the project.
- **CVE-2026-21852:** Relates to the exfiltration of sensitive environment variables, specifically the `ANTHROPIC_API_KEY`, by redirecting or injecting commands that send the token to an attacker-controlled endpoint.
## Exploitation
- **Status:** PoC available (demonstrated by Check Point Research); patched prior to publication.
- **Complexity:** Low (Triggered by standard developer actions like cloning a repo and running Claude Code).
- **Attack Vector:** Local/Supply Chain (Attacker commits malicious files to a public repository; victim pulls and executes the tool within that directory).
## Impact
- **Confidentiality:** Critical (Full access to API keys and local files).
- **Integrity:** Critical (Ability to execute arbitrary shell commands and modify system/code state).
- **Availability:** High (Potential for system-wide disruption via malicious scripts).
## Remediation
### Patches
- Anthropic has released updates to the Claude Code CLI. Users should update to the latest version via their package manager (e.g., `npm install -g @anthropic-ai/claude-code@latest`).
### Workarounds
- **Exercise Caution:** Avoid running Claude Code in untrusted or unvetted repositories.
- **Config Review:** Manually inspect the `.claude/settings.json` file and the `.claude/` directory for suspicious shell commands or unknown MCP servers before activating the tool in a new project.
## Detection
- **Indicators of Compromise:**
- Presence of unexpected shell commands in `.claude/settings.json`.
- External network connections to unknown domains originating from the terminal/CLI process.
- Unexpected entries in the `hooks` section of Claude Code configuration.
- **Detection Methods:**
- Scan repositories for the `.claude/` directory to identify potential configuration injection.
- Monitor process execution for suspicious child processes spawned by `claude` or `node`.
## References
- **Vendor Advisory:** Anthropic Security Updates
- **Research Blog:** hxxps://research[.]checkpoint[.]com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/