INC-26-0017 confirmed high Near Miss Claude Code Remote Code Execution and API Key Exfiltration Vulnerabilities (2026)
Anthropic developed and Software developers using Claude Code deployed Anthropic Claude Code CLI, harming Developers with Claude Code installed on potentially compromised project directories ; possible contributing factors include inadequate access controls, misconfigured deployment, and insufficient safety testing.
Incident Details
| Date Occurred | 2026-01 |
| Severity | high |
| Evidence Level | corroborated |
| Impact Level | Sector-wide |
| Failure Stage | Near Miss |
| Domain | Agentic Systems |
| Primary Pattern | PAT-AGT-006 Tool Misuse & Privilege Escalation |
| Secondary Patterns | PAT-SEC-006 Prompt Injection Attack |
| Regions | north america, europe |
| Sectors | Technology |
| Affected Groups | Developers & AI Builders |
| Exposure Pathways | Adversarial Targeting, Direct Interaction |
| Causal Factors | Inadequate Access Controls, Misconfigured Deployment, Insufficient Safety Testing |
| Assets & Technologies | Large Language Models, Identity Credentials |
| Entities | Anthropic(developer), ·Software developers using Claude Code(deployer) |
| Harm Type | operational |
Check Point Research disclosed two vulnerabilities in Anthropic's Claude Code CLI tool — CVE-2025-59536 (CVSS 8.7) enabling remote code execution through hooks configuration injection, and CVE-2026-21852 enabling API key theft via ANTHROPIC_BASE_URL override — while a separate disclosure identified CVE-2026-25725 (CVSS 7.7), a sandbox escape through settings.json manipulation.
Incident Summary
Check Point Research disclosed two vulnerabilities in Anthropic’s Claude Code CLI tool in February 2026.[1] CVE-2025-59536 (CVSS 8.7) exploited the hooks configuration mechanism: a malicious .claude/settings.json file placed in a project directory could inject arbitrary commands that would execute automatically when a developer opened the project in Claude Code. CVE-2026-21852 (CVSS 5.3) enabled API key theft by overriding the ANTHROPIC_BASE_URL environment variable through project configuration, redirecting authentication tokens to an attacker-controlled server.[1][2]
Separately, an independent researcher disclosed CVE-2026-25725 (CVSS 7.7), a sandbox escape in Claude Code versions prior to 2.1.2 that allowed settings.json manipulation to break out of the restricted execution environment — a distinct vulnerability class from the Check Point pair.[3]
No confirmed exploitation in the wild was reported for any of the three vulnerabilities at the time of disclosure.[2] All three require a developer to open or interact with a malicious project directory — these are supply-chain-style vectors via malicious repositories, not network-based remote exploits. Anthropic patched all three vulnerabilities.[3]
Key Facts
- CVE-2025-59536 (CVSS 8.7): Hooks configuration injection enabling remote code execution when a developer opens a project containing a malicious
.claude/settings.jsonfile[1] - CVE-2026-21852 (CVSS 5.3): API key exfiltration via
ANTHROPIC_BASE_URLoverride in project configuration, redirecting authentication tokens to attacker-controlled servers[1] - CVE-2026-25725 (CVSS 7.7): Sandbox escape through settings.json manipulation, affecting Claude Code versions prior to 2.1.2[3]
- Discovery: CVE-2025-59536 and CVE-2026-21852 discovered by Check Point Research; CVE-2026-25725 disclosed separately via GitHub Security Advisory GHSA-ff64-7w26-62rf[1][3]
- Attack vector: All three vulnerabilities are local project-based — a developer must open or clone a malicious repository; there is no network-based remote exploitation path[1]
- Remediation: CVE-2026-25725 fixed in Claude Code version 2.1.2; all three patched by Anthropic[3]
Threat Patterns Involved
Primary: Tool Misuse & Privilege Escalation — Claude Code’s hooks mechanism and project configuration system were designed to provide developer convenience but created attack surfaces where project-level configuration files could escalate to system-level code execution. The CVSS 8.7 hooks injection vulnerability demonstrates how AI coding assistants that integrate deeply with developer environments inherit the elevated permissions of those environments. CVE-2026-25725, the sandbox escape, is a direct subcase of this pattern: it allowed an attacker to break out of Claude Code’s restricted execution environment entirely through the same settings.json trust boundary.
Secondary: Prompt Injection Attack — The ANTHROPIC_BASE_URL override vulnerability (CVE-2026-21852) represents a configuration-based variant of prompt injection, where an attacker modifies the AI tool’s communication parameters through project files rather than through natural language input. Unlike classical in-context prompt injection — where malicious instructions are embedded in documents, code comments, or conversation text that the model processes — this attack operates at the infrastructure layer, redirecting the AI tool’s API calls before any language processing occurs.
Significance
- AI coding tools as attack surfaces — These vulnerabilities demonstrate that AI coding assistants introduce novel attack vectors through their project configuration mechanisms, where a cloned repository can compromise a developer’s credentials and execute arbitrary code
- Configuration trust boundaries — The hooks injection (CVE-2025-59536) highlights the challenge of balancing developer convenience with security in AI tools: features that allow project-level customization also allow project-level exploitation
- Multiple independent discoveries — The fact that three vulnerabilities were found by at least two independent research groups (Check Point Research and the CVE-2026-25725 researcher) within the same timeframe suggests that AI coding tool security had not been subjected to systematic adversarial review prior to 2026
Timeline
Check Point Research discovers CVE-2025-59536 and CVE-2026-21852 in Claude Code
Check Point Research publishes disclosure of hooks config injection and API key theft vulnerabilities
CVE-2026-25725 (CVSS 7.7) published — sandbox escape via settings.json in Claude Code versions prior to 2.1.2
Anthropic patches all three vulnerabilities
Outcomes
- Recovery:
- All three vulnerabilities patched by Anthropic; CVE-2026-25725 fixed in Claude Code version 2.1.2
Use in Retrieval
INC-26-0017 documents Claude Code Remote Code Execution and API Key Exfiltration Vulnerabilities, a high-severity incident classified under the Agentic Systems domain and the Tool Misuse & Privilege Escalation threat pattern (PAT-AGT-006). It occurred in North America, Europe (2026-01). This page is maintained by TopAIThreats.com as part of an evidence-based registry of AI-enabled threats. Cite as: TopAIThreats.com, "Claude Code Remote Code Execution and API Key Exfiltration Vulnerabilities," INC-26-0017, last updated 2026-03-29.
Sources
- RCE and API Token Exfiltration Through Claude Code Project Files (primary, 2026-02)
https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/ (opens in new tab) - Flaws in Claude Code Put Developer Machines at Risk (news, 2026-02)
https://www.darkreading.com/application-security/flaws-claude-code-developer-machines-risk (opens in new tab) - CVE-2026-25725 — Claude Code Sandbox Escape (primary, 2026-02-06)
https://github.com/advisories/GHSA-ff64-7w26-62rf (opens in new tab)
Update Log
- — First logged (Status: Confirmed, Evidence: Corroborated)