Full Report
Cybersecurity researchers have disclosed multiple security vulnerabilities in Anthropic's Claude Code, an artificial intelligence (AI)-powered coding assistant, that could result in remote code execution and theft of API credentials. "The vulnerabilities exploit various configuration mechanisms, including Hooks, Model Context Protocol (MCP) servers, and environment variables – executing
Analysis Summary
# Vulnerability: Multiple RCE and Information Disclosure Flaws in Anthropic Claude Code
## CVE Details
- **CVE ID:** CVE-2025-59536, CVE-2026-21852, and one unassigned vulnerability (GHSA-ph6w-f82w-28w6)
- **CVSS Score:** 8.7 (High) for CVE-2025-59536 and unassigned; 5.3 (Medium) for CVE-2026-21852
- **CWE:** CWE-94 (Code Injection), CWE-200 (Information Disclosure)
## Affected Systems
- **Products:** Anthropic Claude Code (CLI AI coding assistant)
- **Versions:**
- Versions prior to 1.0.87 (Hooks vulnerability)
- Versions prior to 1.0.111 (CVE-2025-59536)
- Versions prior to 2.0.65 (CVE-2026-21852)
- **Configurations:** Systems where Claude Code is initialized within untrusted or attacker-controlled local directories/repositories.
## Vulnerability Description
Researchers identified three distinct flaws in how Claude Code handles project-level configuration files:
1. **Consent Bypass (Hooks):** Exploits `.claude/settings.json` to execute arbitrary shell commands via project hooks without user confirmation when the tool starts.
2. **MCP Server Injection (CVE-2025-59536):** Attackers use `.mcp.json` or project settings to enable the `enableAllProjectMcpServers` option. This bypasses user approval requirements, allowing the tool to interact with malicious Model Context Protocol (MCP) servers upon initialization.
3. **API Key Exfiltration (CVE-2026-21852):** A flaw in the project-load flow where providing a malicious `ANTHROPIC_BASE_URL` in the settings file causes Claude Code to send API requests (containing the user's active API key) to an attacker-controlled endpoint before the "trust" prompt is even displayed.
## Exploitation
- **Status:** PoC available (disclosed by Check Point Research); fixed by vendor.
- **Complexity:** Medium
- **Attack Vector:** Local/Social Engineering (requires the victim to clone/open a malicious repository and run Claude Code within it).
## Impact
- **Confidentiality:** High (Theft of Anthropic API keys and active session credentials).
- **Integrity:** High (Arbitrary shell command execution on the developer's machine).
- **Availability:** Medium (Potential for unexpected API costs or modification/deletion of cloud-stored data).
## Remediation
### Patches
Users should ensure they are running the latest version of Claude Code.
- **Update to version 2.0.65 or later** to address all identified vulnerabilities.
- Specific fixes were introduced in:
- **1.0.87:** Fixed Hook injection.
- **1.0.111:** Fixed MCP server injection.
- **2.0.65:** Fixed API key exfiltration.
### Workarounds
- Avoid running Claude Code in directories cloned from untrusted or unverified sources.
- Inspect `.claude/settings.json` and `.mcp.json` files in new repositories before initializing AI tools.
- Manually audit environment variables and base URL settings in project configurations.
## Detection
- **Indicators of Compromise:**
- Unexpected outbound network traffic to unfamiliar endpoints during tool initialization.
- Unauthorized modifications to `.claude/settings.json` or `.mcp.json`.
- Unusual shell activity or processes spawned by the `claude` CLI process.
- **Detection methods:** Monitor process execution chains where `claude` is the parent process to identify unauthorized shell commands.
## References
- **Vendor Advisories:**
- [https://github.com/anthropics/claude-code/security/advisories/GHSA-ph6w-f82w-28w6]
- [https://github.com/anthropics/claude-code/security/advisories/GHSA-4fgq-fpq9-mr3g]
- [https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7]
- **Research:**
- [https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/]
- [https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html]