Cybersecurity researchers have identified several critical security vulnerabilities in Anthropic’s Claude Code, an artificial intelligence (AI) coding assistant. These flaws could allow attackers to execute remote code and steal sensitive API credentials, posing a significant risk to developers and their AI infrastructure. The vulnerabilities were detailed in a report by Check Point Research, highlighting potential weaknesses in how the AI handles untrusted code repositories.
Anthropic Claude Code Vulnerabilities Expose Developers to Attacks
A recent report by Check Point Research has exposed a series of serious security vulnerabilities within Anthropic’s Claude Code, an AI-powered tool designed to assist developers in writing code. These discovered weaknesses primarily revolve around the AI’s interaction with untrusted code repositories and its handling of configuration mechanisms. The potential impact ranges from arbitrary code execution on a developer’s machine to the exfiltration of highly sensitive Anthropic API keys. This discovery underscores the evolving threat landscape for AI development tools and the critical need for robust security measures.
The vulnerabilities exploit various configuration elements within Claude Code, including its use of hooks, Model Context Protocol (MCP) servers, and environment variables. According to Check Point Research, when a user clones and opens an untrusted repository, these flaws can be exploited to execute arbitrary shell commands or steal Anthropic API keys. This bypasses the typical security checks developers would expect, making the process of collaborating with external code sources more precarious.
Vulnerability Details and Their Impact
The identified shortcomings have been categorized into three distinct vulnerabilities, each carrying a significant risk score. The first, lacking a CVE designation but with a CVSS score of 8.7, stems from a code injection flaw that allows for arbitrary code execution. This occurs when Claude Code is initiated in a new directory containing an untrusted project hook defined in `.claude/settings.json`. Crucially, the vulnerability exploits a user consent bypass mechanism, enabling code execution without requiring additional user confirmation.
Another vulnerability, formally recognized as CVE-2025-59536 also with a CVSS score of 8.7, creates a path for code injection upon tool initialization. Even without explicit user interaction beyond starting Claude Code in an untrusted directory, this flaw can trigger the automatic execution of arbitrary shell commands. This exploit leverages repository-defined configurations, such as those in `.mcp.json` and `claude/settings.json` files, potentially overriding user approval by setting the “enableAllProjectMcpServers” option to true.
A third vulnerability, CVE-2026-21852, with a lower CVSS score of 5.3, centers on information disclosure. This flaw impacts Claude Code’s project-load procedure, enabling a malicious repository to exfiltrate sensitive data, including Anthropic API keys. Anthropic has confirmed that if a user initiates Claude Code within an attacker-controlled repository that manipulates the `ANTHROPIC_BASE_URL` setting, the AI could inadvertently issue API requests to a malicious endpoint before displaying a trust prompt to the user, thus leaking API keys.
Stealthy Execution and Credential Theft
The implications of these vulnerabilities are far-reaching. Exploiting the code injection flaws could lead to stealthy execution on a developer’s machine, often without any further interaction from the user beyond launching the project. This could allow attackers to gain a foothold within a developer’s environment, access shared project files, modify or delete cloud-stored data, upload malicious content, and even incur unexpected API costs for the victim.
Furthermore, the ability to exfiltrate API keys and redirect authenticated API traffic to external infrastructure allows attackers to burrow deeper into an organization’s AI ecosystem. The report highlights that simply opening a crafted repository can be sufficient to achieve this credential theft and traffic redirection. This fundamentally shifts the threat model for AI-driven development environments. As AI tools become more autonomous, their configuration files effectively become part of the execution layer, integrating operational context directly into system behavior.
Mitigation and Future Outlook
Anthropic has addressed these vulnerabilities through several updates. The first vulnerability (No CVE) was fixed in version 1.0.87 in September 2025. CVE-2025-59536 was patched in version 1.0.111 in October 2025, and CVE-2026-21852 was resolved in version 2.0.65 in January 2026. Developers using Claude Code are strongly advised to ensure their software is updated to the latest available versions to mitigate these risks.
The findings by Check Point Research serve as a stark reminder that the software supply chain in AI development extends beyond source code to encompass the surrounding automation layers. As AI-powered tools gain increased autonomy and integration capabilities, the security of their configuration and interaction protocols becomes paramount. The continued evolution of AI security will likely involve enhanced scrutiny of how AI models process and authenticate external inputs and configurations. Future developments will focus on ensuring that user consent and security protocols remain robust even as AI tools become more sophisticated in their autonomous operations.