Anthropic Patched Remote Code Execution and API Theft Flaws in Claude Code

Researchers at Check Point Research report multiple flaws in Anthropic's Claude Code, an AI-driven development tool, that allowed attackers to execute code and steal credentials. These flaws turned passive repository configuration files into active attack vectors. The issues are caused by how the tool processed project-level settings on initialization.

Vulnerabilities summary:

• CVE-2025-59536 (CVSS score 8.7) - A code injection vulnerability that allows attackers to run arbitrary shell commands when a user starts Claude Code in a malicious directory. By manipulating the Model Context Protocol (MCP) settings,  the enableAllProjectMcpServers option, an attacker can bypass user consent prompts. This allows the tool to initialize external services and execute code before the user grants permission, leading to full system compromise.
• CVE-2026-21852 (CVSS score 5.3) - An information disclosure vulnerability that enables the exfiltration of Anthropic API keys during the project-load sequence. Attackers can set a malicious ANTHROPIC_BASE_URL in the repository's configuration, redirecting authenticated API traffic to an external server. This leak occurs before the tool displays a trust prompt, capturing the authorization header and allowing attackers to hijack the developer's identity.
• Unassigned (CVSS score 8.7) - A code injection flaw involving user consent bypass through untrusted project hooks defined in .claude/settings.json. Attackers can define malicious hooks that execute shell commands automatically when the tool launches in a new directory. This mechanism allows for silent command execution on the developer's endpoint without any further confirmation or visible warning.

Successful exploitation grants attackers full control over a developer's local environment and access to sensitive cloud resources. Stolen API keys are particularly dangerous in enterprise environments using Anthropic's Workspaces feature, where keys provide access to shared project files. 

Attackers could use these credentials to modify or delete cloud-stored data, upload malicious content, or incur significant API costs. This shift in the threat model means that simply opening a project, now poses a severe risk to the software supply chain.

The vulnerabilities affected several early versions of the Claude Code command-line interface:

• The hook-based code injection was resolved in version 1.0.87 in September 2025. CVE-2025-59536 was addressed in version 1.0.111 in October 2025.
• The API key exfiltration flaw, CVE-2026-21852, was patched in version 2.0.65 in January 2026. Anthropic worked closely with researchers to ensure all reported issues were resolved before public disclosure.

Anthropic has updated Claude Code to strengthen trust prompts and block external tool execution until the user provides explicit approval. Developers should update their Claude Code installation to the latest version to ensure these protections are active. 

Organizations should treat repository-level configuration files as executable code. Restricting the use of these tools to verified internal repositories can further reduce the risk of accidental compromise through malicious third-party projects.