{"id":10956,"date":"2026-02-26T10:03:49","date_gmt":"2026-02-26T10:03:49","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/26\/critical-claude-code-vulnerabilities-enables-remote-code-execution-attacks\/"},"modified":"2026-02-26T10:03:49","modified_gmt":"2026-02-26T10:03:49","slug":"critical-claude-code-vulnerabilities-enables-remote-code-execution-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/26\/critical-claude-code-vulnerabilities-enables-remote-code-execution-attacks\/","title":{"rendered":"Critical Claude Code Vulnerabilities Enables Remote Code Execution Attacks"},"content":{"rendered":"<p>    Critical Claude Code Vulnerabilities Enables Remote Code Execution Attacks<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A critical security flaw in Anthropic\u2019s Claude Code demonstrates how threat actors can exploit repository configuration files to execute malicious code and steal sensitive API keys.<\/p>\n<p>The vulnerabilities, tracked as CVE-2025-59536 and CVE-2026-21852, highlight a significant shift in the software <a href=\"https:\/\/cybersecuritynews.com\/threat-actors-weaponizing-open-source-packages\/\" target=\"_blank\" rel=\"noreferrer noopener\">supply chain threat landscape as AI tools<\/a> become embedded in enterprise development workflows.<\/p>\n<p>The vulnerabilities discovered by Check Point Research allowed attackers to bypass built-in trust controls by weaponizing Claude Code\u2019s project-level configuration files.<\/p>\n<p>Typically viewed as harmless metadata used to streamline collaboration, these files were found to function as an active execution layer.<\/p>\n<p>When a developer cloned and opened a malicious repository, built-in automation features like Hooks and <a href=\"https:\/\/cybersecuritynews.com\/best-model-context-protocol-mcp-servers\/\" target=\"_blank\" rel=\"noreferrer noopener\">Model Context Protocol (MCP)<\/a> integrations could be manipulated to trigger unauthorized actions.<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>CVE ID<\/th>\n<th>Description<\/th>\n<th>CVSS v3.1 Score<\/th>\n<th>Attack Vector<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>CVE-2025-59536<\/strong><\/td>\n<td>User consent bypass allowing unauthorized action execution before approval.<\/td>\n<td>8.8 (High)<\/td>\n<td>AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:L<\/td>\n<\/tr>\n<tr>\n<td><strong>CVE-2026-21852<\/strong><\/td>\n<td>API key theft via traffic redirection before trust validation.<\/td>\n<td>9.1 (Critical)<\/td>\n<td>AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:L<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Check Point revealed that simply launching the tool within an untrusted project directory was enough to initiate silent command execution on the <a href=\"https:\/\/cybersecuritynews.com\/npm-supply-chain-ctrl-tinycolor\/\" target=\"_blank\" rel=\"noreferrer noopener\">developer\u2019s endpoint<\/a>, bypassing explicit user consent.<\/p>\n<p>This effectively inverted the security model, shifting control from the user to the repository\u2019s configuration before trust was established.<\/p>\n<p>One of the most concerning aspects of the research was the potential for <a href=\"https:\/\/cybersecuritynews.com\/hacking-groups-exploit-openclaw\/\" target=\"_blank\" rel=\"noreferrer noopener\">API credential theft<\/a>.<\/p>\n<p>By manipulating repository-controlled settings, attackers could redirect authenticated API traffic, including the full authorization header, to an attacker-controlled server. This exfiltration occurred before the user confirmed trust in the project directory.<\/p>\n<p>The theft of <a href=\"https:\/\/cybersecuritynews.com\/clawdbot-chats-exposed\/\" target=\"_blank\" rel=\"noreferrer noopener\">Anthropic API keys<\/a> poses a severe enterprise risk due to the platform\u2019s Workspaces feature. Workspaces allow multiple API keys to share access to cloud-stored project files.<\/p>\n<p>A single compromised key could grant an attacker unauthorized access to shared resources, enabling them to modify, delete, or upload malicious content, and to generate unauthorized API costs.<\/p>\n<p><a href=\"https:\/\/blog.checkpoint.com\/research\/check-point-researchers-expose-critical-claude-code-flaws\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Check Point Research coordinated with Anthropic<\/a> to address these vulnerabilities before public disclosure.<\/p>\n<p>Anthropic has implemented fixes to strengthen user trust prompts, <a href=\"https:\/\/cybersecuritynews.com\/175000-exposed-ollama-hosts\/\" target=\"_blank\" rel=\"noreferrer noopener\">block execution of external tools <\/a>without explicit approval, and prevent API communications until trust is confirmed.<\/p>\n<p>These findings underscore a critical evolution in the AI supply chain threat model. As agentic AI tools automate more of the development process, repository configuration files can no longer be treated as passive settings.<\/p>\n<p>They now influence execution, networking, and permissions, meaning the risk extends beyond running untrusted code to simply opening an untrusted project.<\/p>\n<p>Organizations must update their security controls to address the blurred trust boundaries introduced by AI-driven automation.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/claude-code-vulnerabilities\/\">Critical Claude Code Vulnerabilities Enables Remote Code Execution Attacks<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/claude-code-vulnerabilities\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Critical Claude Code Vulnerabilities Enables Remote Code Execution Attacks A critical security flaw in Anthropic\u2019s Claude Code demonstrates how threat actors can exploit repository configuration files to execute malicious code and steal sensitive API keys. The vulnerabilities, tracked as CVE-2025-59536 and CVE-2026-21852, highlight a significant shift in the software supply chain threat landscape as AI [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-10956","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10956"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10956"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10956\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10956"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10956"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10956"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}