Claude Code, the coding assistant developed by Anthropic, is in the news after three major vulnerabilities were discovered, which can allow remote code execution and the theft of API keys if the developer opens an untrusted project. The vulnerabilities, discovered by Check Point researchers Aviv Donenfeld and Oded Vanunu, take advantage of the way in which Claude Code deals with configuration features such as Hooks, Model Context Protocol (MCP) servers, and environment variables, which can turn project files into an attack vector.
The first bug is a high-severity vulnerability, rated 8.7 on the Common Vulnerability Scoring System (CVSS), though it doesn’t have a CVE number. The flaw is related to the bypassing of user consent when the attacker starts the project in an untrusted directory. Using the hooks defined in the repository’s .claude/settings.json, an attacker with commit access can add shell commands in the project, which can be automatically executed when the project is opened in the victim’s environment. In essence, an attacker can execute remote code execution without the need for further user interaction. All the attacker needs to do is ask the victim to open the malicious project, and the attacker can execute the hidden command in the background.
The second vulnerability, tracked as CVE-2025-59536 and also rated 8.7, extends this risk by targeting Claude Code’s integration with external tools via MCP. Here, attackers can weaponize repository-controlled configuration files like .mcp.json and claude/settings.json to override explicit user approval, for example by enabling the “enableAllProjectMcpServers” option, causing arbitrary shell commands to run automatically when the tool initializes. This effectively transforms the normal startup process into a trigger point for remote code execution from an attacker-controlled configuration.
The third flaw, CVE-2026-21852, is an information disclosure bug rated 5.3 that affects Claude Code’s project-load flow.By manipulating settings so that ANTHROPIC_BASE_URL points to an attacker-controlled endpoint, a malicious repository can cause Claude Code to send API requests, including the user’s Anthropic API key, before any trust prompt is displayed. As a result, simply opening a crafted repository can leak active API credentials, allowing adversaries to redirect authenticated traffic, steal keys, and pivot deeper into an organization’s AI infrastructure.
Anthropic has patched all three issues, with fixes rolled out across versions 1.0.87, 1.0.111, and 2.0.65 between September 2025 and January 2026, and has published advisories detailing the impact and mitigations. Nonetheless, the incident underscores how AI coding assistants introduce new supply-chain attack surfaces by trusting project-level configuration files, and it highlights the need for developers to treat untrusted repositories with the same caution as untrusted code, keeping tools updated and reviewing configuration behavior closely.