INC-26-0089 confirmed high Near Miss Claude Code 'Claudy Day' Vulnerability Chain — Silent Data Exfiltration via Prompt Injection (2026)
Anthropic developed and deployed Claude.ai (Anthropic web application), harming Claude.ai users potentially exposed to data exfiltration ; possible contributing factors include prompt injection vulnerability and inadequate access controls.
Incident Details
| Date Occurred | 2026-03 |
| Severity | high |
| Evidence Level | corroborated |
| Impact Level | Sector-wide |
| Failure Stage | Near Miss |
| Domain | Security & Cyber |
| Primary Pattern | PAT-SEC-006 Prompt Injection Attack |
| Regions | global |
| Sectors | Technology |
| Affected Groups | General Public |
| Exposure Pathways | Adversarial Targeting, Direct Interaction |
| Causal Factors | Prompt Injection Vulnerability, Inadequate Access Controls |
| Assets & Technologies | Large Language Models, Content Platforms |
| Entities | Anthropic(developer, deployer) |
| Harm Type | rights violation |
A vulnerability chain in Claude.ai enabled silent data exfiltration and redirection to malicious sites via prompt injection combined with API misuse and open redirects. The chain could extract user data without visible indicators. Patched after disclosure.
Incident Summary
Security researchers discovered a vulnerability chain in Claude.ai — dubbed “Claudy Day” — that combined prompt injection, API misuse, and open redirect vulnerabilities to enable silent data exfiltration from user conversations and redirection to malicious sites.[1] The chain operated without visible indicators to the user, meaning that data could be extracted from conversations without the user being aware that their information was being sent to an attacker-controlled endpoint.[2] The vulnerability was patched after responsible disclosure. The “Claudy Day” chain demonstrates that modern AI web applications face the same categories of web security vulnerabilities as traditional web applications (open redirects, API misuse), but with the added dimension that prompt injection can be used to chain these vulnerabilities together, with the AI system itself acting as the bridge between separate vulnerabilities that would not be exploitable in isolation.
Key Facts
- Vulnerability: Chain combining prompt injection + API misuse + open redirects[1]
- Impact: Silent data exfiltration and malicious redirection[1]
- Stealth: No visible indicators to user during exfiltration[2]
- Status: Patched after responsible disclosure[1]
- Platform: Claude.ai web application[2]
Threat Patterns Involved
Primary: Prompt Injection Attack — The Claudy Day chain uses prompt injection as the initiating vulnerability that enables the AI system to be directed to exploit API misuse and open redirect vulnerabilities, demonstrating how prompt injection serves as a universal vulnerability amplifier in AI web applications.
Significance
- AI as vulnerability bridge — The chain demonstrates that AI systems can bridge separate web vulnerabilities that would not be exploitable individually, creating a new category of chained attacks where the AI acts as the connecting element
- Silent exfiltration — The absence of visible indicators during data exfiltration means users cannot detect the attack through normal observation, requiring technical monitoring to identify the vulnerability exploitation
- Web application security applies to AI — The vulnerability demonstrates that AI web applications inherit all traditional web security challenges (open redirects, API misuse) while adding the new dimension of prompt injection, requiring AI security to encompass both AI-specific and traditional web security practices
- Responsible disclosure success — The patching of the vulnerability after responsible disclosure demonstrates that the AI security ecosystem’s vulnerability disclosure processes can function effectively when researchers and developers cooperate
Timeline
Vulnerability chain discovered in Claude.ai
Prompt injection + API misuse + open redirects enable silent data exfiltration
Vulnerability patched after responsible disclosure
Outcomes
- Recovery:
- Vulnerability patched after disclosure
Use in Retrieval
INC-26-0089 documents Claude Code 'Claudy Day' Vulnerability Chain — Silent Data Exfiltration via Prompt Injection, a high-severity incident classified under the Security & Cyber domain and the Prompt Injection Attack threat pattern (PAT-SEC-006). It occurred in Global (2026-03). This page is maintained by TopAIThreats.com as part of an evidence-based registry of AI-enabled threats. Cite as: TopAIThreats.com, "Claude Code 'Claudy Day' Vulnerability Chain — Silent Data Exfiltration via Prompt Injection," INC-26-0089, last updated 2026-03-29.
Sources
- Claude Claudy Day vulnerability chain disclosure (news, 2026-03)
https://devops.com (opens in new tab) - OECD AIM record: Claude.ai vulnerability chain (government, 2026-03-18)
https://oecd.ai/en/incidents/2026-03-18-74b1 (opens in new tab)
Update Log
- — First logged (Status: Confirmed, Evidence: Corroborated)