Claude Code RCE flaw let malicious deeplinks run commands on developer machines
8 min. read 
Published on
A patched Claude Code vulnerability could let attackers run commands on a victim’s machine through a malicious deeplink.
The flaw affected Anthropic’s Claude Code CLI deeplink handling and its early parsing of the –settings option. A crafted claude-cli://open link could inject attacker-controlled settings and trigger a command through Claude Code hooks.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Security researcher Joernchen of 0day.click disclosed the issue on May 12, 2026, and said it has been fixed since Claude Code version 2.1.118. Users should update Claude Code to 2.1.118 or later, and preferably to the newest available release.
How the Claude Code deeplink flaw worked
The vulnerability came from a function called eagerParseCliFlag in Claude Code’s startup path. The function scanned command-line arguments for values beginning with –settings= before the main program initialization completed.
The problem was context. The parser did not reliably distinguish between a real CLI flag and a string passed as the value of another option.
Claude Code’s deeplink handler can use a prefill option to place text into a prompt from the q parameter in a deeplink. Because the early parser scanned too broadly, an attacker could place a –settings value inside that prefilled prompt and have it treated as a real settings override.
| Detail | Information |
|---|---|
| Product | Anthropic Claude Code CLI |
| Attack path | Malicious claude-cli://open deeplink |
| Root issue | Context-blind parsing of –settings arguments |
| Feature abused | SessionStart hooks |
| Main impact | Command execution on the victim’s machine |
| Fixed version | 2.1.118 or later, according to the researcher |
Why hooks made the bug dangerous
Claude Code hooks are a legitimate automation feature. They let users run commands at specific points in a session, such as when a session begins, when a prompt is submitted, or when a tool runs.
That feature becomes risky if an attacker can control hook settings without proper user review. In this case, the injected settings could define a SessionStart hook that runs automatically when Claude Code opens the session.
Because SessionStart hooks run at the beginning of a session, the attacker-controlled command could execute immediately after the victim opened the malicious deeplink.
Workspace trust bypass increased the risk
The researcher also found that the attack could bypass Claude Code’s workspace trust dialog in some cases.
The deeplink could include a repository parameter pointing to a repository the victim had already cloned and trusted locally. If the repository matched an existing trusted workspace, the command could run without showing the usual trust warning.
That made the flaw more serious for active Claude Code users. Developers often trust their own repositories, popular open-source repositories, and work projects, which gives attackers a possible path to make a malicious deeplink look normal.
- The attack required the victim to open a crafted deeplink.
- The deeplink could inject Claude Code settings.
- Injected settings could define a SessionStart hook.
- The hook could run a shell command at session startup.
- The trust prompt could be bypassed if the repo was already trusted.
Why deeplink handlers are risky
Deeplink handlers let websites, documents, chats, and other apps open a local application through a custom URI scheme. They are convenient, but they also create a bridge between untrusted web content and local tools.
For developer tools, that bridge is especially sensitive. A coding assistant may have access to source code, shell commands, local files, credentials, Git repositories, package managers, and cloud configuration files.
If a deeplink handler accepts attacker-controlled values and passes them into startup settings, the local tool can become a command-execution target.
| Risk area | Why it matters |
|---|---|
| Local command execution | Developer tools can run shell commands and scripts. |
| Repository access | Coding tools often open trusted local projects. |
| Secrets exposure | Developer machines may store API keys, tokens, and cloud credentials. |
| Browser-to-local bridge | Custom URI schemes can turn a clicked link into local app behavior. |
| Trust confusion | Users may not expect a link to change tool settings or run hooks. |
The parsing bug behind the issue
The vulnerable pattern involved scanning raw process arguments for strings that started with –settings=. That approach can fail when one argument contains text that looks like a flag but actually belongs to another option.
In this case, the q parameter from a deeplink became prompt text through the prefill flow. However, the early settings parser treated a –settings string inside that prompt text as a real configuration override.
The fix requires context-aware parsing. A secure parser must understand which values belong to which flags, instead of searching the full argument list for matching string prefixes.
Why this matters for AI coding tools
AI coding agents now sit close to highly sensitive developer workflows. They can read code, run tests, edit files, call tools, and execute commands with user approval or through configured automation.
That makes configuration injection bugs more dangerous than they might be in a simpler desktop app. A small parsing flaw can turn into a path for local command execution if it reaches hooks, shell commands, or plugin systems.
The Claude Code issue also follows earlier research showing that hooks and project-controlled configuration can create command-execution risk when trust boundaries are not clear enough.
What Claude Code users should do
Users should update Claude Code immediately if they run a version older than 2.1.118. The safest path is to install the newest available Claude Code version, since later releases include additional security and reliability fixes.
Users should also avoid opening claude-cli:// links from websites, chats, emails, issue comments, or unknown repositories unless they fully trust the source.
Teams using Claude Code in enterprise environments should review trusted workspaces, managed settings, hooks, and deeplink usage policies.
- Update Claude Code to 2.1.118 or later.
- Prefer the latest available Claude Code release.
- Do not open claude-cli:// links from untrusted sources.
- Review trusted repositories and workspace entries.
- Audit hooks in user, project, local, and managed settings.
- Restrict project settings in shared repositories where possible.
- Review developer machines for unexpected hook commands.
What developers should check after exposure
Developers who may have clicked a suspicious Claude Code deeplink should review local settings and recent shell activity. They should also check whether unknown commands ran around the time the link opened.
Since coding tools often run inside repositories with secrets or cloud access, developers should look for unusual changes to files, Git remotes, shell profiles, and credential files.
If a malicious command may have executed, teams should rotate exposed credentials from a clean machine and review endpoint logs before continuing normal work.
- Check the installed Claude Code version.
- Review Claude Code settings files for unknown hooks.
- Inspect shell history and terminal logs where available.
- Check recent changes in trusted repositories.
- Look for suspicious files created near the time the deeplink opened.
- Rotate API keys, Git tokens, and cloud credentials if compromise is possible.
- Scan the machine with endpoint security tools.
Lessons for tool builders
The issue highlights a common secure-coding mistake: treating command-line arguments as a flat list of strings instead of parsing them with full context.
This mistake becomes more dangerous when the application also supports custom URI schemes, inline settings, hooks, plugins, or project-controlled configuration.
Developers building local AI tools should treat deeplink input as hostile. They should block sensitive flags from deeplinks, validate every parameter, preserve argument context, and require clear user approval before executing commands from configuration.
Why this disclosure matters
The Claude Code flaw shows how AI developer tools can become high-value local attack surfaces. The attacker did not need to exploit a model response or trick the AI into writing unsafe code.
Instead, the weakness sat in the surrounding application logic: deeplinks, argument parsing, settings, hooks, and workspace trust.
As coding agents gain more automation features, security teams will need to review not only the model but also the local runtime around it. The runtime decides what files can be read, what commands can run, and which settings can change user behavior.
FAQ
It was a vulnerability in Claude Code’s deeplink and argument parsing behavior. A crafted claude-cli://open link could inject –settings data and define a SessionStart hook that ran commands on the victim’s machine.
The researcher says the vulnerability has been fixed since Claude Code 2.1.118. Users should update to 2.1.118 or later, and preferably to the newest available release.
Yes. The victim had to open a malicious Claude Code deeplink. However, after the link opened, the injected SessionStart hook could run without a separate command approval prompt in the researcher’s reported attack path.
Users should update Claude Code, avoid opening claude-cli:// links from untrusted sources, review trusted repositories, audit hooks in settings files, and rotate credentials if they suspect a malicious deeplink was opened.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages