CVE-2026-21852
published 2026-01-21CVE-2026-21852: Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate…
PriorityP265high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
22.97%
97.5th percentile
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anthropic-ai | claude-code | >= 0 < 2.0.65 | 2.0.65 |
| anthropic | claude_code | < 2.0.65 | 2.0.65 |
| anthropics | claude-code | < 2.0.65 | 2.0.65 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for outbound API requests to non-Anthropic endpoints originating from Claude Code processes — the ANTHROPIC_BASE_URL environment variable set in .claude/settings.json can redirect all API traffic (including API keys) to an attacker-controlled server before the trust prompt is shown. ↗
- →Alert on shell command execution triggered by Claude Code's SessionStart hook event immediately upon project load — hooks defined in .claude/settings.json execute automatically without additional user confirmation after the initial trust dialog. ↗
- →Detect MCP server initialization commands executing before the trust dialog is acknowledged — enableAllProjectMcpServers or enabledMcpjsonServers set in .claude/settings.json can cause commands in .mcp.json to run immediately upon invoking 'claude' in a project directory. ↗
- →Hunt for the Rust-based dropper ClaudeCode_x64.exe delivered via GitHub repository releases sections, which drops Vidar v18.7 infostealer and GhostSocks proxy malware. ↗
- →Detect Vidar C2 communications using Steam community profile pages as Dead Drop Resolvers (DDR) to obtain the actual C2 address. ↗
- →Block or alert on connections to cargomanbd[.]com (specifically rti.cargomanbd.com) as an active Vidar C2 endpoint. ↗
- →Detect GhostSocks proxy traffic to 147.45.197.92:443 and 94.228.161.88:443. ↗
- →Flag cloning or downloading from GitHub repositories under accounts 'leaked-claude-code', 'my3jie', or 'idbzoomh1' as these are confirmed trojanized Claude Code lure repositories. ↗
- ·The vulnerability affects Claude Code versions prior to 2.0.65 only. Users on standard auto-update have already received the fix; only manual-update users need to act. ↗
- ·The ANTHROPIC_BASE_URL exfiltration (CVE-2026-21852) is distinct from the RCE hooks/MCP vulnerabilities (CVE-2025-59536); both are triggered by a malicious .claude/settings.json in a cloned repository but through different mechanisms. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Anthropic claude-code up to 2.0.64 insufficiently protected credentials (GHSA-jh7p-qr78-84p7 / EUVD-2026-3597)
vuldb·2026-04-11·CVSS 5.3
CVE-2026-21852 [MEDIUM] Anthropic claude-code up to 2.0.64 insufficiently protected credentials (GHSA-jh7p-qr78-84p7 / EUVD-2026-3597)
A vulnerability was found in Anthropic claude-code up to 2.0.64 and classified as problematic. Impacted is an unknown function. Such manipulation leads to insufficiently protected credentials.
This vulnerability is listed as CVE-2026-21852. The attack may be performed from remote. There is no available exploit.
It is suggested to upgrade the affected component.
OSV
Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
osv·2026-01-21
CVE-2026-21852 [MEDIUM] Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
A vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPIC_BASE_URL to an attacker-controlled endpoint, Claude Code would issue API requests before showing the trust prompt, including potentially leaking the user's API keys.
Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.
GHSA
Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
ghsa·2026-01-21
CVE-2026-21852 [MEDIUM] CWE-522 Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
A vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPIC_BASE_URL to an attacker-controlled endpoint, Claude Code would issue API requests before showing the trust prompt, including potentially leaking the user's API keys.
Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.
No detection rules found.
No public exploits indexed.
Wiz
MCP Auto-Execution: From Git Clone to Cloud Compromise in Amazon Q VS Code Extension
blogs_wiz·2026-06-26·CVSS 7.8
CVE-2026-12957 [HIGH] MCP Auto-Execution: From Git Clone to Cloud Compromise in Amazon Q VS Code Extension
Severity
High
CVE
CVE-2026-12957
Affected Versions
Language server version < 1.65.0
Fixed In
Language server version 1.65.0
Vendor
Amazon Web Services
Status
Fixed
## Executive Summary
Wiz Research discovered a high-severity vulnerability in Amazon Q Developer Extension for Visual Studio Code (VS Code), Amazon's AI-powered coding assistant for VS Code, which allowed attackers to achieve arbitrary code execution and cloud credential theft simply by having a developer open a malicious repository. Amazon Q automatically loaded MCP server configurations from workspace files without user consent. Combined with full environment inheritance, this enabled immediate code execution.
Amazon has remediated this issue in language server version 1.65.0.
This vulnerability is part of a bro
Zscaler
Anthropic Claude Code Leak | ThreatLabz
blogs_zscaler·2026-04-01
Anthropic Claude Code Leak | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Checkpoint
Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852
blogs_checkpoint·2026-02-25·CVSS 8.7
CVE-2025-59536 [HIGH] Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852
By Aviv Donenfeld and Oded Vanunu
## Executive Summary
Check Poin
Wiz
CVE-2026-21852 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-21852 [MEDIUM] CVE-2026-21852 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21852 :
Claude Code vulnerability analysis and mitigation
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest vers
2026-01-21
Published