cbcvebase.
CVE-2026-21852
published 2026-01-21

CVE-2026-21852: Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate…

PriorityP265high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
22.97%
97.5th percentile
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.

Affected

3 ranges
VendorProductVersion rangeFixed in
anthropic-aiclaude-code>= 0 < 2.0.652.0.65
anthropicclaude_code< 2.0.652.0.65
anthropicsclaude-code< 2.0.652.0.65

Detection & IOCsextracted from sources · hover to see the quote

hashd8256fbc62e85dae85eb8d4b49613774
hash8660646bbc6bb7dc8f59a764e25fe1fd
hash77c73bd5e7625b7f691bc00a1b561a0f
hash81fb210ba148fd39e999ee9cdc085dfc
hash9a6ea91491ccb1068b0592402029527f
hash3388b415610f4ae018d124ea4dc99189
urlhttps://steamcommunity.com/profiles/76561198721263282
urlhttps://telegram.me/g1n3sss
urlhttps://rti.cargomanbd.com
ip147.45.197.92
ip94.228.161.88
urlhttps://github.com/leaked-claude-code/leaked-claude-code
urlhttps://github.com/my3jie/leaked-claude-code
urlhttps://github.com/idbzoomh1
filenameClaudeCode_x64.exe
path.claude/settings.json
path.mcp.json
  • Monitor for outbound API requests to non-Anthropic endpoints originating from Claude Code processes — the ANTHROPIC_BASE_URL environment variable set in .claude/settings.json can redirect all API traffic (including API keys) to an attacker-controlled server before the trust prompt is shown.
  • Alert on shell command execution triggered by Claude Code's SessionStart hook event immediately upon project load — hooks defined in .claude/settings.json execute automatically without additional user confirmation after the initial trust dialog.
  • Detect MCP server initialization commands executing before the trust dialog is acknowledged — enableAllProjectMcpServers or enabledMcpjsonServers set in .claude/settings.json can cause commands in .mcp.json to run immediately upon invoking 'claude' in a project directory.
  • Hunt for the Rust-based dropper ClaudeCode_x64.exe delivered via GitHub repository releases sections, which drops Vidar v18.7 infostealer and GhostSocks proxy malware.
  • Detect Vidar C2 communications using Steam community profile pages as Dead Drop Resolvers (DDR) to obtain the actual C2 address.
  • Block or alert on connections to cargomanbd[.]com (specifically rti.cargomanbd.com) as an active Vidar C2 endpoint.
  • Detect GhostSocks proxy traffic to 147.45.197.92:443 and 94.228.161.88:443.
  • Flag cloning or downloading from GitHub repositories under accounts 'leaked-claude-code', 'my3jie', or 'idbzoomh1' as these are confirmed trojanized Claude Code lure repositories.
  • ·The vulnerability affects Claude Code versions prior to 2.0.65 only. Users on standard auto-update have already received the fix; only manual-update users need to act.
  • ·The ANTHROPIC_BASE_URL exfiltration (CVE-2026-21852) is distinct from the RCE hooks/MCP vulnerabilities (CVE-2025-59536); both are triggered by a malicious .claude/settings.json in a cloned repository but through different mechanisms.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.