AI description
CVE-2026-21852 is an information disclosure vulnerability identified in Claude Code, an agentic coding tool. This flaw allows malicious repositories to exfiltrate sensitive data, including Anthropic API keys, before users have confirmed their trust in the repository. The vulnerability arises because an attacker-controlled repository can include a settings file that sets the `ANTHROPIC_BASE_URL` to an endpoint controlled by the attacker. When such a repository is opened, Claude Code reads this configuration and immediately issues API requests, potentially leaking the user's API keys to the attacker's server before any trust prompt is displayed. This vulnerability is characterized as a configuration injection flaw (CWE-522: Insufficiently Protected Credentials) within Claude Code's initialization sequence. The core issue lies in the timing of configuration file parsing relative to user trust verification, allowing API requests with authentication credentials to be sent to an attacker-specified endpoint before user consent. This enables attackers to steal Anthropic API keys by convincing developers to clone and open malicious repositories. Versions of Claude Code prior to 2.0.65 are affected.
- Description
- Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- claude_code
CVSS 4.0
- Type
- Secondary
- Base score
- 5.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- MEDIUM
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-522
- Hype score
- Not currently trending
Claude Code Security Vulnerabilities: CVE-2025-59536 & CVE-2026-21852 Analysis Critical vulnerabilities in Claude Code enable remote code execution and API key theft via malicious repository configurations. Analysis of three developer ... Written from an engineering perspect
@Claudecode_JPEE
10 May 2026
243 Impressions
0 Retweets
0 Likes
0 Bookmarks
2 Replies
0 Quotes
Claude Code脆弱性分析:RCE と API認証情報露出リスク Check Point Researchが報告したClaude Codeの重大脆弱性(CVE-2025-59536、CVE-2026-21852)は、リポジトリ設定を悪用したリモートコード実行とAPI認証情報窃取を可能にする
@Claudecode_JPJE
10 May 2026
271 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
TrustFall lands. CVE-2026-26268 plus the Claude Code RCE chain (CVE-2025-59536, CVE-2026-21852, CVE-2026-33068). One Enter keypress auto-approves a malicious .mcp.json across Claude Code, Cursor CLI, Gemini CLI, and GitHub Copilot CLI. Translation: every default-trust agent CLI
@musiol_martin
10 May 2026
317 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2026-24887. CVE-2026-21852. CVE-2025-59536. Three Claude Code RCEs in 60 days, all weaponized faster after Anthropic shipped the full source map in a public npm bundle on March 31. The SaaS surface IS the threat surface. Self-hosted Claude Code behind strict allowlists kills
@musiol_martin
7 May 2026
276 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-59536 + CVE-2026-21852: Claude Code <2.0.65 lets a repo config file silently run shell commands and exfiltrate your API key via Hooks/MCP. Patch is in 2.0.65. Self-hosted with strict allowlists kills the whole class. https://t.co/mE4uAPCm83
@musiol_martin
4 May 2026
142 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
BREAKING: Four flaws in Anthropic Claude Code (CVE-2026-33068, CVE-2026-25723, CVE-2026-21852, CVE-2025-59536) enable trust bypass, arbitrary file writes and API key exfiltration in unpatched versions. https://t.co/7f7r9c7YTt
@threatcluster
30 Apr 2026
115 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
悪意あるリポジトリをクローンするだけでRCEとAPIキー窃取が起きるClaude Code脆弱性(CVE-2025-59536/CVE-2026-21852)が発見・修正済み。根本原因は.claude/settings.jsonがリポジトリ内に存在すること。信頼できないリポジ
@aidriven1234
26 Apr 2026
178 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 - Aviv Donenfeld and Oded Vanunu https://t.co/ne7IicPoHh
@pentest_swissky
11 Apr 2026
1686 Impressions
7 Retweets
17 Likes
13 Bookmarks
0 Replies
0 Quotes
在陌生 repo 跑 Claude Code,API 金鑰可能已洩漏。 Check Point 披露 CVE-2025-59536(任意命令執行)+ CVE-2026-21852(密鑰外滲),攻擊鏈全程無感知,Anthropic 未有修復時間表。 vibe coding 用戶每天都咁做——邊緣場景定日
@TechPulseHK
2 Apr 2026
112 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
1️⃣ About Claude Code vulnerabilities (CVE-2025-59536, CVE-2026-21852) : the attack surface no longer exists at the code execution layer alone. It has migrated upward into the configuration and initialization layers that govern how AI assistants interact with infrastructure b
@francescofaenzi
30 Mar 2026
141 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
1 Quote
4 Agent Security Breaches That Should Change How You Think About API Keys Shai-Hulud, SANDWORM_MODE, OpenClaw, and CVE-2026-21852 — the 2025-2026 incidents that proved AI agents need their own authorization layer, not shared secrets. https://t.co/JI0XipSONE
@mishrak_sanjeev
28 Mar 2026
129 Impressions
0 Retweets
5 Likes
2 Bookmarks
0 Replies
0 Quotes
毎日使ってるClaude Codeに重大な脆弱性が2件見つかった(修正済み)。 CVE-2025-59536: プロジェクトファイル経由のRCE CVE-2026-21852: ANTHROPIC_BASE_URLの上書きによるAPIキー漏洩 攻撃シナリオがリアル。 悪意あるリポ
@shun_aidev
19 Mar 2026
249 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
Recent #ClaudeCode vulnerabilities (CVE-2025-59536, CVE-2026-21852) show why the AI supply chain begins with the automation layer. Configuration files like .claude/settings.json are now part of the execution layer. Authority must be deterministic. 🛡️🦾 https://t.co/PGucc61
@PermissionPrtcl
17 Mar 2026
150 Impressions
0 Retweets
5 Likes
0 Bookmarks
1 Reply
0 Quotes
#Cybernews 🚨💻 Las #Vulnerabilidades ⚠️, registradas como CVE-2025-59536 🆔 y CVE-2026-21852 🆔, podían activarse simplemente al #Clonar 🔁 y abrir 📂 un proyecto no confiable 🚫, sin necesidad de ejecutar código explícito 🧩 ni realizar acciones adicional
@totalcybersec
10 Mar 2026
219 Impressions
2 Retweets
6 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 CYBERDUDEBIVASH SENTINEL APEX ALERT 🚨 Threat: Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 Intel Report: https://t.co/1U7gyRBUzM
@cyberbivash
9 Mar 2026
97 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
check point found 2 flaws in claude code — anthropic's AI dev tool. CVE-2025-59536: open a project → code runs before you click "trust." CVE-2026-21852: repo configs silently redirect your API keys to the attacker. clone the wrong repo. your AI tool is the backdoor.
@The_Agent_Econ
8 Mar 2026
104 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CYBERDUDEBIVASH SENTINEL APEX ALERT 🚨 Threat: Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 Intel Report: https://t.co/tL4HD8m3Hz
@cyberbivash
3 Mar 2026
109 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Claude Codeの設定ファイルが攻撃面に不正リポジトリでRCEとAPIキー窃取が成立した脆弱性(CVE-2025-59536/CVE-2026-21852) https://t.co/Vs50pJ5SIK #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews #AINews
@securityLab_jp
3 Mar 2026
183 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Vulnerabilities (CVE-2025-59536, CVE-2026-21852) in Anthropic Claude Code https://t.co/k7E25uyOfG
@ninp0
2 Mar 2026
48 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Claude Code มีช่องโหว่ เปิดทางแฮกเกอร์รันคำสั่ง-ขโมย API Key ได้เงียบๆ https://t.co/8UxH8udJWf CVE-2025-59536, CVE-2026-21852
@ohmohm
2 Mar 2026
50 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
AI dev tool security alert. @claudeai Code vulnerabilities enabled: • Remote Code Execution • MCP consent bypass (CVE-2025-59536) • API key exfiltration (CVE-2026-21852) Reported by Check Point Research. Fully patched by Anthropic. Config files = potential execution vectors
@TechNadu
28 Feb 2026
188 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Report #2026-02-28-01: Claude Code flaws (CVE-2025-59536, CVE-2026-21852) enabled RCE + API token exfiltration via untrusted project files. Impact: HIGH. Source: https://t.co/rX49vfvl2V
@elagentecapital
28 Feb 2026
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
「リポジトリをクローンして開いただけで APIキーが盗まれる」 セキュリティ企業Check Pointが Claude Codeに重大な脆弱性2件を発見・報告。 CVE-2025-59536 CVE-2026-21852 2件とも公開前にAnthropicが修正済みです🔐 ど
@Claudia_AiLab
27 Feb 2026
109 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
⚠️Check PointがClaude Codeの重大脆弱性を公開 The Hacker Newsでも報道されました 内容はかなり深刻で ・悪意あるリポジトリを開くだけ ・RCE(Remote Code Execution=外部から任意コード実行)可能 ・APIキー盗
@onumaro92
26 Feb 2026
210 Impressions
0 Retweets
2 Likes
0 Bookmarks
1 Reply
0 Quotes
Check Point disclosed critical Claude Code vulnerabilities yesterday (CVE-2025-59536, CVE-2026-21852). Three attack vectors, all execution before trust dialogs. RCE via hooks: Malicious .claude/settings.json executes shell commands on SessionStart. Clone poisoned repo, run
@ManfredMancxx
26 Feb 2026
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical RCE in Code: How Attackers Can Hijack #AI Assistants and Steal API Keys (#CVE-2025-59536 & #CVE-2026-21852) + Video https://t.co/aOkUZKfrk5 Educational Purposes!
@UndercodeUpdate
26 Feb 2026
49 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
I hacked Claude Code! It turns out "agentic" is just a fancy new way to get a shell. I achieved full RCE and hijacked organization API keys. CVE-2025-59536 | CVE-2026-21852 https://t.co/GymKzaM1wp #ai #Claude
@Od3dV
26 Feb 2026
60136 Impressions
102 Retweets
470 Likes
334 Bookmarks
6 Replies
13 Quotes
Critical vulnerabilities, CVE-2025-59536 and CVE-2026-21852, in Anthropic’s Claude Code enabled remote code execution and API key theft through malicious repository-level configuration files, triggered simply by cloning and opening an untrusted project https://t.co/nXlrDqdhgK h
@blackorbird
26 Feb 2026
2078 Impressions
9 Retweets
21 Likes
8 Bookmarks
0 Replies
0 Quotes
What dropped today (while these clowns are still selling unsecured garbage bots that get your account nuked): • Claude Code Config Bypass/CVE-2025-59536 + CVE-2026-21852 lets attackers RCE your dev box and steal API keys just by cloning a poisoned repo — disclosed Feb 25, 20
@Double00Kevin
26 Feb 2026
62 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Anthropic社のAI「Claude Code」において、リモートでコードが実行される可能性のある深刻な脆弱性が発見されました。この問題は、CVE-2025-59536およびCVE-2026-21852として追跡されています。
@omomuki_tech
26 Feb 2026
75 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration - https://t.co/yCtHWMfO00 • Critical vulnerabilities, CVE-2025-59536 and CVE-2026-21852, in Anthropic’s Claude Code enabled remote code execution and API key theft through malicious repository-level https
@AISecHub
26 Feb 2026
1660 Impressions
3 Retweets
26 Likes
13 Bookmarks
2 Replies
0 Quotes
Check Point found CVE-2025-59536 and CVE-2026-21852 in Claude Code allow remote code execution and API key theft via untrusted repository configurations, reachable by simply cloning and opening a project. They warn that built-in hooks and env vars could … https://t.co/nEKaQHLG0
@Cyber_O51NT
26 Feb 2026
943 Impressions
12 Retweets
15 Likes
1 Bookmark
2 Replies
0 Quotes
Researchers disclose critical flaws in Anthropic's Claude Code enabling remote code execution and API key theft via untrusted repositories, tracked as CVE-2025-59536 and CVE-2026-21852. #AIsecurity https://t.co/49GjRjE368
@threatcluster
26 Feb 2026
64 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Claude Codeに遠隔コード実行及びAPIキー窃取の脆弱性。Check Point社報告。CVE-2025-59536及びCVE-2026-21852。信頼されないリポジトリをクローンして開くことで、悪意ある設定ファイルから発動。処理に際し明示的な認
@__kokumoto
25 Feb 2026
1147 Impressions
3 Retweets
3 Likes
5 Bookmarks
0 Replies
0 Quotes
Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 https://t.co/fTjad1Bg5x
@Dinosn
25 Feb 2026
1281 Impressions
2 Retweets
1 Like
4 Bookmarks
0 Replies
0 Quotes
Check Point | Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 https://t.co/4ymK4vGUTN
@StopMalvertisin
25 Feb 2026
349 Impressions
1 Retweet
5 Likes
1 Bookmark
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "DD35DBC7-825A-49D0-825E-8DD6BE1A257A",
"versionEndExcluding": "2.0.65",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]