Critical Claude Code Vulnerabilities Enable Remote Code Execution

Home » News
Yash Shield
News
Reading time icon 3 min. read

Calendar icon Published on

Anthropic’s Claude Code contains critical vulnerabilities CVE-2025-59536 and CVE-2026-21852 that allow attackers to execute remote code and steal API keys through malicious repository files. Check Point Research found these flaws let threat actors bypass trust controls simply when developers clone and open untrusted projects. All issues are now patched after responsible disclosure to Anthropic.

These flaws affect Claude Code, an AI-powered coding tool used in development workflows. Attackers exploit project configuration files like hooks, Model Context Protocol (MCP) servers, and environment variables. Developers face risks from everyday actions such as opening shared repositories.

Vulnerability Details

Claude Code processes repository settings before users approve trust, creating an entry point for attacks. Hooks run arbitrary shell commands on the developer’s machine. MCP integrations and environment variables trigger silent code execution.

CVE IDDescriptionCVSS v3.1 ScoreAttack VectorFixed Version
CVE-2025-59536Consent bypass via hooks/MCP for RCE8.8 (High)AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L2.0.65+
CVE-2026-21852API key theft by redirecting traffic pre-trust9.1 (Critical)AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L2.0.65

Anthropic’s official statement confirms fixes block external tool execution and API calls until trust confirmation.

Attack Methods

Attackers craft repositories with malicious configs. Steps include:​

  • Place harmful hooks or MCP servers in project files.
  • Set ANTHROPIC_BASE_URL to attacker server.​
  • Victim opens repo; tool sends API key in plaintext before trust prompt.
  • Stolen keys access Workspaces, enabling data theft or high API bills.​

No user approval is needed for exfiltration in CVE-2026-21852. This shifts security risks to repository metadata once seen as safe.blog.checkpoint+1

Fixes and Mitigation

Anthropic patched issues with stronger trust dialogs and deferred network calls. Update to Claude Code 2.0.65 or later.thehackernews+2

  • Scan repos for suspicious configs before opening.
  • Review MCP servers and environment vars manually.
  • Use isolated environments for untrusted code.
  • Monitor API logs for unknown IPs.​

Organizations should train devs on AI tool supply chain risks.​

FAQ

What triggered these Claude Code vulnerabilities?

Malicious project files exploited hooks, MCP, and env vars to bypass trust.

Are Anthropic API keys safe now?

Yes, patches prevent pre-trust API calls. Update immediately.

Which versions of Claude Code are affected?

All prior to 2.0.65. Check your install.

How did Check Point disclose this?

They coordinated with Anthropic before public release on Feb 24, 2026.

What supply chain risks do these show?

AI tools blur trust boundaries, making repo configs active threats.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages