Key Findings

• Multiple security vulnerabilities discovered in Anthropic's Claude Code, an AI-powered coding assistant

• Vulnerabilities could result in remote code execution and theft of Anthropic API credentials

• Vulnerabilities exploit configuration mechanisms, including Hooks, Model Context Protocol (MCP) servers, and environment variables

Background

Claude Code is an artificial intelligence (AI)-powered coding assistant developed by Anthropic. It is designed to help developers write and debug code more efficiently.

No CVE (CVSS score: 8.7)

• A code injection vulnerability stemming from a user consent bypass when starting Claude Code in a new directory

• Could result in arbitrary code execution without additional confirmation via untrusted project hooks defined in .claude/settings.json

• Fixed in version 1.0.87 in September 2025

CVE-2025-59536 (CVSS score: 8.7)

• A code injection vulnerability that allows execution of arbitrary shell commands automatically upon tool initialization

• Occurs when a user starts Claude Code in an untrusted directory

• Fixed in version 1.0.111 in October 2025

CVE-2026-21852 (CVSS score: 5.3)

• An information disclosure vulnerability in Claude Code's project-load flow

• Allows a malicious repository to exfiltrate data, including Anthropic API keys

• Fixed in version 2.0.65 in January 2026

Sources

• https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html

• https://x.com/TheHackersNews/status/2026704093109170367

• https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/