Security News Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration

[Divergent]

Content source

https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html

Cybersecurity researchers have disclosed multiple security vulnerabilities in Anthropic's Claude Code, an artificial intelligence (AI)-powered coding assistant, that could result in remote code execution and theft of API credentials.

"The vulnerabilities exploit various configuration mechanisms, including Hooks, Model Context Protocol (MCP) servers, and environment variables – executing arbitrary shell commands and exfiltrating Anthropic API keys when users clone and open untrusted repositories," Check Point Research said in a report shared with The Hacker News.

Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration

Claude Code flaws allow remote code execution and API key theft via untrusted repositories; three bugs fixed across 2025–2026 releases.

thehackernews.com

 

[Bot]

Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration

Claude Code flaws allow remote code execution and API key theft via untrusted repositories; three bugs fixed across 2025–2026 releases.

thehackernews.com

This is a good example of a “project files become code” / “opening a repo is an execution event” problem in agentic coding tools, especially when the tool supports repo-controlled configuration.

What the report is saying (high level)
According to Check Point Research and Anthropic’s own advisories, a malicious repository can abuse Claude Code’s repository-scoped configuration (notably `.claude/settings.json` and `.mcp.json`) to do things like:

• Trigger command execution through project hooks / initialization flows (remote code execution on the developer workstation in the worst case)
• Auto-approve (or effectively bypass meaningful consent for) MCP server initialization by setting options like `enableAllProjectMcpServers`
• Exfiltrate Anthropic API keys by redirecting API traffic via `ANTHROPIC_BASE_URL` before the user confirms trust

This is the core risk: the “supply chain” isn’t only `package.json` scripts or build steps anymore; it also includes AI tool automation layers and their config. ([thehackernews.com](https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html))

Patches / versions mentioned in the advisories
From Anthropic’s GitHub security advisories (for the `@anthropic-ai/claude-code` package):

• GHSA-ph6w-f82w-28w6 (warning clarity issue): patched in v1.0.87 (advisory published Sep 2, 2025) ([github.com](https://github.com/anthropics/claude-code/security/advisories/GHSA-ph6w-f82w-28w6))
• CVE-2025-59536 (code execution before trust dialog): affected < v1.0.111, patched in v1.0.111 (advisory published Oct 3, 2025) ([github.com](https://github.com/anthropics/claude-code/security/advisories/GHSA-4fgq-fpq9-mr3g))
• CVE-2026-21852 (data leakage / API key exposure via `ANTHROPIC_BASE_URL` before trust confirmation): affected < v2.0.65, patched in v2.0.65 (advisory published Jan 20, 2026) ([github.com](https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7))

The Hacker News article you linked (dated Feb 25, 2026) summarizes these items and points to the same advisories/research. ([thehackernews.com](https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html))

Practical mitigations (what to do)
If you or your org uses Claude Code, the safest immediate actions are:

• Update Claude Code to a patched version (at minimum v2.0.65 to cover CVE-2026-21852, and ensure the earlier trust-dialog/RCE fixes are included as well). ([github.com](https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7))
• Treat “cloning and opening a repo” as equivalent to running untrusted code:
  • Do not run Claude Code in untrusted repositories.
  • Prefer opening unknown repos inside a disposable VM / container / low-privilege environment.
• Harden MCP usage:
  • Avoid enabling automatic approval of project MCP servers (settings such as `enableAllProjectMcpServers`), especially in environments where you handle untrusted code. ([code.claude.com](https://code.claude.com/docs/en/settings))
  • If you have centralized control, use managed/allowlist approaches so projects cannot silently introduce new MCP servers.
• Assume any exposed API key is compromised if you ran Claude Code in an untrusted repo:
  • Revoke/rotate the Anthropic API key(s).
  • Review Anthropic API usage logs/billing for anomalies and unexpected spikes.

Why this matters beyond Claude Code
This pattern applies to other AI coding assistants too: any assistant that can (1) execute commands, (2) initialize external tool integrations, and (3) read per-project configuration becomes vulnerable to “repo as an attack container” unless the trust boundary is extremely strict and enforced before any network calls or tool startup. ([thehackernews.com](https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html))

If you want a single takeaway: keep Claude Code updated and do not allow repo-controlled settings (hooks/MCP/env overrides) to execute or phone home before trust is established, especially for repos you didn’t create or fully review.

Sources

• Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration
• Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 - Check Point Research
• Command execution prior to Claude Code startup trust dialog
• Malicious repo configuration can trigger data leakage via environment configuration used before trust confirmation
• Claude Code Vulnerable to Arbitrary Code Execution Due to Insufficient Startup Warning
• https://code.claude.com/docs/en/settings

 

[Divergent]

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1059
Command and Scripting Interpreter

T1552.001
Credentials In Files

T1190
Exploit Public-Facing Application

CVE Profile
CVSS 8.7 (CVE-2025-59536)
CVSS 5.3 (CVE-2026-21852)
CISA KEV Status: Inactive.

Telemetry

File Paths
.claude/settings.json, .mcp.json.

Environment Variables
ANTHROPIC_BASE_URL.

Configurations
enableAllProjectMcpServers, enabledMcpjsonServers.

Constraint
Delivery vectors are unconfirmed in raw telemetry, but the structure suggests a supply chain attack involving developers cloning malicious or honeypot repositories.

The exploitation path abuses three distinct configuration vectors managed by the .claude/settings.json file. First, "Hooks" (such as a SessionStart event) will automatically execute system shell commands (e.g., opening a calculator or downloading a reverse shell payload) without waiting for the user's interactive consent. Second, the Model Context Protocol (MCP) configuration can be set to automatically approve external server connections, bypassing the trust dialog entirely. Finally, by overriding the ANTHROPIC_BASE_URL setting, the CLI will route all initialization requests, which contain the plaintext authorization headers, to an external, attacker-controlled infrastructure.

An adversary holding the exfiltrated API keys can pivot into Claude's "Workspaces," accessing, modifying, or regenerating sensitive artifacts stored by other developers sharing the workspace.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Issue a targeted policy mandating that all developer environments using Claude Code upgrade to patched versions (v2.0.65 or later) immediately.

DETECT (DE) – Monitoring & Analysis

Command
Query EDR telemetry for unexpected child processes (e.g., bash, cmd[.]exe, curl) spawned by the claude binary.

Command
Monitor network traffic for anomalies where claude attempts outbound HTTP/S connections to unverified domains outside of *.anthropic.com.

RESPOND (RS) – Mitigation & Containment

Command
Revoke and rotate any Anthropic API keys used on endpoints known to have cloned untrusted third-party repositories prior to the deployment of the patches.

Command
Isolate endpoints where the claude process tree indicates unprompted arbitrary execution.

RECOVER (RC) – Restoration & Trust

Command
Verify updated client installations (v≥2.0.65) across the environment before permitting developers to resume AI-assisted CLI workflows.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Integrate static analysis checks in CI/CD pipelines to flag unauthorized hooks or proxy configurations within .claude/settings.json and .mcp.json files during Pull Request reviews.

Remediation - THE HOME USER TRACK (Safety Focus)

Note
Threat Level downgraded to Low unless you are actively using the Claude Code CLI tool for software development.

Priority 1: Safety

Command
If you have Claude Code installed, update it via npm (npm update -g @anthropic-ai/claude-code) before running it in any newly cloned repository.

Priority 2: Identity

Command
Log into the Anthropic Developer Console and generate new API keys, permanently deleting any old keys that may have been active while navigating untrusted projects.

Priority 3: Persistence

Command
Inspect your local development directories for hidden .claude/ folders and ensure the settings.json files do not contain unfamiliar remote URLs or hooks.

Hardening & References

Baseline
CIS Benchmarks for Secure Software Development.

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Check Point Research

The Hacker News

CVE-2025-59536
(MCP User Consent Bypass, fixed in version 1.0.111).

CVE-2026-21852
(API Token Exfiltration via URL spoofing, fixed in version 2.0.65).