Critical vulnerabilities in Anthropic’s Claude Code, an AI-powered command-line development tool. The flaws could allow attackers to achieve Remote Code Execution (RCE) and exfiltrate Anthropic API keys by exploiting project configuration files.
The issues were reported by Check Point Research (CPR), and Anthropic has fully patched all vulnerabilities prior to public disclosure.
The vulnerabilities highlight the growing attack surface introduced by AI-assisted development tools, where repository-controlled configuration files can be weaponized to compromise developer machines and shared workspaces.
Claude Code allows developers to delegate tasks directly from their terminal. To facilitate team collaboration, it supports project-level configurations through a .claude/settings.json file stored directly in the repository.
Because this file is inherited when a repository is cloned, any contributor with commit access can modify it.
CPR discovered that malicious configurations could trigger unintended actions on a developer’s machine, effectively turning a passive setup file into an execution vector.
Vulnerability 1: RCE via Untrusted Project Hooks
Anthropic’s “Hooks” feature allows users to define commands that execute automatically at specific points in Claude Code’s lifecycle (e.g., formatting code after an edit). These hooks are defined in the repository-controlled .claude/settings.json.
CPR found that when cloning an untrusted repository with a malicious hook configured to trigger on SessionStart, Claude Code executed the command immediately upon initialization.
While the tool presented a general trust dialog, it did not explicitly warn that hook commands were already running in the background without user confirmation.
This allowed attackers to execute arbitrary shell commands, such as establishing a reverse shell.
Vulnerability 2: RCE Using MCP Consent Bypass (CVE-2025-59536)
Claude Code supports the Model Context Protocol (MCP) to interact with external tools, configured via an .mcp.json file.
Following CPR’s initial report, Anthropic implemented a warning dialog for MCP initialization.
However, CPR found a bypass using two settings in :
.claude/settings.json: enableAllProjectMcpServers and enabledMcpjsonServers.By leveraging these settings to auto-approve MCP servers, CPR executed malicious commands immediately upon running claude before the user could interact with the trust dialog. This once again enabled RCE.
Vulnerability 3: API Key Exfiltration (CVE-2026-21852)
Further investigation into .claude/settings.json revealed that environment variables could also be defined.
CPR targeted ANTHROPIC_BASE_URL, which controls the endpoint for Claude Code API communications.
By pointing this URL to a malicious server, an attacker could intercept the tool’s initial API requests.
Check Point Research (CPR) observed that before the user even interacted with the trust dialog, Claude Code transmitted the full Anthropic API key in plaintext within the authorization header.
With a stolen API key, attackers could perform billing fraud or access shared Claude Workspaces.
While files in a workspace cannot be downloaded after manual upload, CPR bypassed this by using the code execution tool to regenerate the file, making it downloadable and exposing sensitive team resources.
These vulnerabilities present severe supply chain risks, as malicious configurations could be injected via pull requests, honeypot repositories, or compromised internal accounts.
Anthropic has resolved these issues by: Enhancing warning dialogs for untrusted configurations. Ensuring MCP servers cannot execute before user approval, regardless of auto-approve settings.
Deferring all network operations, including API key transmission, until after explicit user consent is granted.
Developers are urged to update to the latest version of Claude Code and treat project configuration files with the same scrutiny as executable code.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
