Full Report
Anthropic fixed the flaws - but the AI-enabled attack surfaces remain Security vulnerabilities in Claude Code could have allowed attackers to remotely execute code on users' machines and steal API keys by injecting malicious configurations into repositories, and then waiting for a developer to clone and open an untrustworthy project.…
Analysis Summary
# Vulnerability: RCE and API Key Exfiltration in Claude Code via Malicious Project Configurations
## CVE Details
- CVE ID: CVE-2025-59536 (for MCP consent bypass flaw), CVE-2026-21852 (for API key theft flaw). One vulnerability mentioned was fixed but did not receive a CVE in the provided text.
- CVSS Score: Not explicitly provided for all, but RCE implies High severity.
- CWE: CWE-78 (Improper Neutralization of Special Elements used to Construct OS Commands) likely applies to RCE flaws.
## Affected Systems
- Products: Anthropic Claude Code (AI coding tool)
- Versions: Undisclosed specific vulnerable versions, but versions prior to vendor fixes.
- Configurations: Any repository that includes user-defined configuration files accessible to collaborators, specifically `.claude/settings.json` and `.mcp.json`.
## Vulnerability Description
Three vulnerabilities were discovered related to how Claude Code embeds project-level configuration files (like `.claude/settings.json`) directly into repositories. When a developer clones an untrustworthy project, these configurations can automatically apply, leading to compromise.
1. **Abusing Hooks for RCE:** Attackers could define malicious shell commands within the repository's `.claude/settings.json` under the "Hooks" feature. Claude executed these commands without explicit user approval upon project interaction, leading to Remote Code Execution (RCE).
2. **MCP Consent Bypass Bug (RCE):** By abusing settings in `.mcp.json` that controlled Model Context Protocol (MCP) integrations, attackers could override safeguards requiring user approval, leading to immediate command execution upon running Claude Code.
3. **API Key Theft:** Attackers could redirect the `ANTHROPIC_BASE_URL` environment variable, defined insecurely in configuration files, to an attacker-controlled server. This allowed the exfiltration of the user's API key during Claude Code's communications. Stolen keys could then be leveraged to read/write workspace files by tricking Claude into re-generating existing files as downloadable artifacts.
## Exploitation
- Status: PoC available (demonstrated by opening a calculator/running a reverse shell).
- Complexity: Low to Medium (depended on the specific flaw, ranging from automatic execution via hooks to needing specific configuration overrides).
- Attack Vector: Adjacent (requires cloning and opening a malicious repository by a developer).
## Impact
- Confidentiality: High (API keys exfiltrated, potential for reading/writing all workspace files).
- Integrity: High (Arbitrary remote code execution allows complete system compromise).
- Availability: Medium (Potential for deletion or poisoning of workspace files).
## Remediation
### Patches
- Anthropic issued fixes for all three flaws.
- Fix for malicious hooks flaw published via GitHub Security Advisory (GHSA-ph6w-f82w-28w6) on August 29, 2025.
- Fix for MCP consent bypass flaw published with CVE-2025-59536 on October 3, 2025.
- Fix for API key extraction flaw published with CVE-2026-21852 on January 21, 2026.
- Users must update to versions incorporating these fixes.
### Workarounds
- The context implies that the core risk stems from automatically trusting repository configurations. Developers should exercise extreme caution when cloning and opening projects from untrusted sources, even if using an AI-enabled tool.
## Detection
- Indicators of Compromise: Unexpected shell processes starting (e.g., calculator opening, reverse shells), modified API traffic routing, or unexpected changes in the Claude workspace files utilizing the user's API key.
- Detection methods and tools: Monitor local system command execution originating from the Claude application environment when loading projects. Network monitoring for unexpected external API calls if the ANTHROPIC_BASE_URL variable is compromised.
## References
- Vendor Advisory (GHSA): hxxps://github.com/advisories/GHSA-ph6w-f82w-28w6
- NVD Entry (CVE-2025-59536): hxxps://nvd.nist.gov/vuln/detail/CVE-2025-59536
- NVD Entry (CVE-2026-21852): hxxps://nvd.nist.gov/vuln/detail/CVE-2026-21852
- Research Report: hxxps://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/