AI description
CVE-2026-21852 is an information disclosure vulnerability identified in Claude Code, an agentic coding tool. This flaw allows malicious repositories to exfiltrate sensitive data, including Anthropic API keys, before users have confirmed their trust in the repository. The vulnerability arises because an attacker-controlled repository can include a settings file that sets the `ANTHROPIC_BASE_URL` to an endpoint controlled by the attacker. When such a repository is opened, Claude Code reads this configuration and immediately issues API requests, potentially leaking the user's API keys to the attacker's server before any trust prompt is displayed. This vulnerability is characterized as a configuration injection flaw (CWE-522: Insufficiently Protected Credentials) within Claude Code's initialization sequence. The core issue lies in the timing of configuration file parsing relative to user trust verification, allowing API requests with authentication credentials to be sent to an attacker-specified endpoint before user consent. This enables attackers to steal Anthropic API keys by convincing developers to clone and open malicious repositories. Versions of Claude Code prior to 2.0.65 are affected.
- Description
- Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- claude_code
CVSS 4.0
- Type
- Secondary
- Base score
- 5.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-522
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
38
⚠️Check PointがClaude Codeの重大脆弱性を公開 The Hacker Newsでも報道されました 内容はかなり深刻で ・悪意あるリポジトリを開くだけ ・RCE(Remote Code Execution=外部から任意コード実行)可能 ・APIキー盗
@onumaro92
26 Feb 2026
177 Impressions
0 Retweets
2 Likes
0 Bookmarks
1 Reply
0 Quotes
Check Point disclosed critical Claude Code vulnerabilities yesterday (CVE-2025-59536, CVE-2026-21852). Three attack vectors, all execution before trust dialogs. RCE via hooks: Malicious .claude/settings.json executes shell commands on SessionStart. Clone poisoned repo, run
@ManfredMancxx
26 Feb 2026
49 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical RCE in Code: How Attackers Can Hijack #AI Assistants and Steal API Keys (#CVE-2025-59536 & #CVE-2026-21852) + Video https://t.co/aOkUZKfrk5 Educational Purposes!
@UndercodeUpdate
26 Feb 2026
46 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
I hacked Claude Code! It turns out "agentic" is just a fancy new way to get a shell. I achieved full RCE and hijacked organization API keys. CVE-2025-59536 | CVE-2026-21852 https://t.co/GymKzaM1wp #ai #Claude
@Od3dV
26 Feb 2026
57753 Impressions
96 Retweets
448 Likes
308 Bookmarks
6 Replies
13 Quotes
Critical vulnerabilities, CVE-2025-59536 and CVE-2026-21852, in Anthropic’s Claude Code enabled remote code execution and API key theft through malicious repository-level configuration files, triggered simply by cloning and opening an untrusted project https://t.co/nXlrDqdhgK h
@blackorbird
26 Feb 2026
2078 Impressions
9 Retweets
21 Likes
8 Bookmarks
0 Replies
0 Quotes
What dropped today (while these clowns are still selling unsecured garbage bots that get your account nuked): • Claude Code Config Bypass/CVE-2025-59536 + CVE-2026-21852 lets attackers RCE your dev box and steal API keys just by cloning a poisoned repo — disclosed Feb 25, 20
@Double00Kevin
26 Feb 2026
62 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Anthropic社のAI「Claude Code」において、リモートでコードが実行される可能性のある深刻な脆弱性が発見されました。この問題は、CVE-2025-59536およびCVE-2026-21852として追跡されています。
@omomuki_tech
26 Feb 2026
75 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration - https://t.co/yCtHWMfO00 • Critical vulnerabilities, CVE-2025-59536 and CVE-2026-21852, in Anthropic’s Claude Code enabled remote code execution and API key theft through malicious repository-level https
@AISecHub
26 Feb 2026
1660 Impressions
3 Retweets
26 Likes
13 Bookmarks
2 Replies
0 Quotes
Check Point found CVE-2025-59536 and CVE-2026-21852 in Claude Code allow remote code execution and API key theft via untrusted repository configurations, reachable by simply cloning and opening a project. They warn that built-in hooks and env vars could … https://t.co/nEKaQHLG0
@Cyber_O51NT
26 Feb 2026
943 Impressions
12 Retweets
15 Likes
1 Bookmark
2 Replies
0 Quotes
Researchers disclose critical flaws in Anthropic's Claude Code enabling remote code execution and API key theft via untrusted repositories, tracked as CVE-2025-59536 and CVE-2026-21852. #AIsecurity https://t.co/49GjRjE368
@threatcluster
26 Feb 2026
64 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Claude Codeに遠隔コード実行及びAPIキー窃取の脆弱性。Check Point社報告。CVE-2025-59536及びCVE-2026-21852。信頼されないリポジトリをクローンして開くことで、悪意ある設定ファイルから発動。処理に際し明示的な認
@__kokumoto
25 Feb 2026
1147 Impressions
3 Retweets
3 Likes
5 Bookmarks
0 Replies
0 Quotes
Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 https://t.co/fTjad1Bg5x
@Dinosn
25 Feb 2026
1281 Impressions
2 Retweets
1 Like
4 Bookmarks
0 Replies
0 Quotes
Check Point | Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 https://t.co/4ymK4vGUTN
@StopMalvertisin
25 Feb 2026
349 Impressions
1 Retweet
5 Likes
1 Bookmark
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*",
"vulnerable": true,
"matchCriteriaId": "DD35DBC7-825A-49D0-825E-8DD6BE1A257A",
"versionEndExcluding": "2.0.65"
}
],
"operator": "OR"
}
]
}
]