Critical Claude Code Security Vulnerabilities Enable Remote Code Execution and API Key Theft

Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration

Cybersecurity researchers have disclosed multiple security vulnerabilities in Anthropic's Claude Code, an artificial intelligence (AI)-powered coding assistant, that could result in remote code execution and theft of API credentials. "The vulnerabilities exploit various configuration mechanisms, including Hooks, Model Context Protocol (MCP) servers, and environment variables - executing arbitrary shell commands and exfiltrating Anthropic API keys when users clone and open untrusted repositories," Check Point Research said in a report shared with The Hacker News. The identified shortcomings fall under three broad categories - "If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPIC_BASE_URL to an attacker-controlled endpoint, Claude Code would issue API requests before showing the trust prompt, including potentially leaking the user's API keys," Anthropic said in an advisory for CVE-2026-21852. In other words, simply opening a crafted repository is enough to exfiltrate a developer's active API key, redirect authenticated API traffic to external infrastructure, and capture credentials. This, in turn, can permit the attacker to burrow deeper into the victim's AI infrastructure. This could potentially involve accessing shared project files, modifying/deleting cloud-stored data, uploading malicious content, and even generating unexpected API costs. Successful exploitation of the first vulnerability could trigger stealthy execution on a developer's machine without any additional interaction beyond launching the project. CVE-2025-59536 also achieves a similar goal, the main difference being that repository-defined configurations defined through .mcp.json and claude/settings.json file could be exploited by an attacker to override explicit user approval prior to interacting with external tools and services through the Model Context Protocol (MCP). This is achieved by setting the "enableAllProjectMcpServers" option to true. "As AI-powered tools gain the ability to execute commands, initialize external integrations, and initiate network communication autonomously, configuration files effectively become part of the execution layer," Check Point said. "What was once considered operational context now directly influences system behavior." "This fundamentally alters the threat model. The risk is no longer limited to running untrusted code - it now extends to opening untrusted projects. In AI-driven development environments, the supply chain begins not only with source code, but with the automation layers surrounding it."

Check Point Researchers Expose Critical Claude Code Flaws

By Aviv Donenfeld and Oded Vanunu * Critical vulnerabilities, CVE-2025-59536 and CVE-2026-21852, in Anthropic's Claude Code enabled remote code execution and API key theft through malicious repository-level configuration files, triggered simply by cloning and opening an untrusted project * Built-in mechanisms -- including Hooks, MCP integrations, and environment variables -- could be abused to bypass trust controls, execute hidden shell commands, and redirect authenticated API traffic before user consent * Stolen Anthropic API keys posed enterprise-wide risk, particularly in shared workspaces where a single compromised key could expose, modify, or delete shared files and resources and generate unauthorized costs * The findings highlight a broader shift in the AI supply chain threat model: repository configuration files now function as part of the execution layer, requiring updated security controls to address AI-driven automation risks As organizations rapidly adopt agentic AI development tools into enterprise workflows, the trust boundaries between configuration and execution are increasingly blurred. Check Point Research identified critical vulnerabilities in Anthropic's Claude Code that enabled remote code execution and API credential theft through malicious repository-based configuration files. By abusing built-in mechanisms such as Hooks, Model Context Protocol (MCP) integrations, and environment variables, attackers could execute arbitrary shell commands and exfiltrate API keys when developers cloned and opened untrusted projects - without any additional action beyond launching the tool. In effect, configuration files intended to streamline collaboration became active execution paths, introducing a new attack vector within the AI-powered development layer now embedded in the enterprise supply chain, raising a broader question: has the enterprise threat model evolved to match this new reality? How a Single Repository File Became an Attack Vector Claude Code was designed to streamline collaboration by embedding project-level configuration files directly within repositories, automatically applying them when a developer opens Claude Code inside the project directory. Check Point Research found that these files, typically perceived as harmless operational metadata, could in fact function as an active execution layer. In certain scenarios, simply cloning and opening a malicious repository was enough to: * Trigger hidden commands on the developer's endpoint * Bypass built-in consent and trust safeguards * Expose active Anthropic API keys and turn them into an access vector * Extend the impact from an individual workstation to shared enterprise cloud workspaces * All without any visible indication that a compromise had already begun. What was intended to optimize collaboration effectively became a silent attack vector within the AI-powered development workflow How Developers Could Be Affected The risks fell into three categories. * Silent Command Execution via Claude Hooks Claude Code includes automation capabilities that allow predefined actions to run when a session begins. Check Point Research demonstrated that this mechanism could be abused to execute arbitrary shell commands automatically upon tool initialization. In practice, this means that simply opening a malicious repository could trigger hidden execution on a developer's machine - without any additional interaction beyond launching the project. * MCP User Consent Bypass Claude Code integrates with external tools via the Model Context Protocol (MCP), enabling additional services to be initialized when a project is opened. Although warning prompts were designed to require explicit user approval, researchers found that repository-controlled configuration settings could override these safeguards. As a result, execution could occur: * Before the user granted consent * Without meaningful visibility into what was being initialized * Despite built-in trust prompts intended to prevent such behavior When code runs before trust is established, the control model is inverted - shifting authority from the user to repository-defined configuration and expanding the AI-driven attack surface. This issue was assigned CVE-2025-59536. * API Key Theft Before Trust Confirmation Claude Code communicates with Anthropic's services using an API key, transmitted with each authenticated request. By manipulating a repository-controlled configuration setting, researchers demonstrated that API traffic , including the full authorization header, could be redirected to an attacker-controlled server before the user confirmed trust in the project directory. This meant that simply opening a malicious repository could: * Exfiltrate a developer's active API key * Redirect authenticated API traffic to external infrastructure * Capture credentials before any trust decision was made In collaborative AI environments, a single compromised key can become a gateway to broader enterprise exposure. This issue was assigned CVE-2026-21852. Why the API Key Exposure Mattered Anthropic's API includes a feature called Workspaces, which allows multiple API keys to share access to project files stored in the cloud. Files are associated with the workspace itself, not a single key. With a stolen key, an attacker could potentially: * Access shared project files * Modify or delete cloud-stored data * Upload malicious content * Generate unexpected API costs In collaborative AI ecosystems, a single exposed key can scale from individual compromise to team-wide impact. A New Supply Chain Risk in AI Tools These vulnerabilities reflect a broader structural shift in how software supply chains operate. Modern development platforms increasingly rely on repository-based configuration files to automate workflows and streamline collaboration. Traditionally, these files were treated as passive metadata - not as execution logic. However, as AI-powered tools gain the ability to execute commands, initialize external integrations, and initiate network communication autonomously, configuration files effectively become part of the execution layer. What was once considered operational context now directly influences system behavior. This fundamentally alters the threat model. The risk is no longer limited to running untrusted code - it now extends to opening untrusted projects. In AI-driven development environments, the supply chain begins not only with source code, but with the automation layers surrounding it. Remediation and Disclosure Check Point Research worked closely with Anthropic throughout the disclosure process. Anthropic implemented fixes that: * Strengthened user trust prompts * Prevented external tool execution before explicit approval * Blocked API communications until after trust confirmation All reported issues have been resolved prior to public disclosure. Why This Matters AI-powered coding tools are rapidly becoming part of enterprise development workflows. Their productivity benefits are significant, but so is the need to reassess traditional security assumptions. Configuration files are no longer passive settings. They can influence execution, networking, and permissions. As AI integration deepens, security controls must evolve to match the new trust boundaries.