CYBERSECURITY researchers have disclosed multiple security vulnerabilities in Anthropic's Claude Code, an AI-powered coding assistant, that could result in remote code execution and theft of API credentials. The findings, reported by Check Point Research, show flaws spanning configuration mechanisms such as Hooks, MCP servers and environment variables that could exfiltrate Anthropic API keys when users clone and open untrusted repositories.
The weaknesses fall into three categories: a No CVE issue (CVSS 8.7) related to code injection via untrusted project hooks defined in .claude/settings[.]json, CVE-2025-59536 (CVSS 8.7) allowing arbitrary shell commands during tool initialization in untrusted directories, and CVE-2026-21852 (CVSS 5.3) an information-disclosure flaw in Claude Code’s project-load flow enabling exfiltration of API keys.
Anthropic itself advised that if a user starts Claude Code in an attacker-controlled repository with a settings file setting ANTHROPIC_BASE_URL to a malicious endpoint, API keys could be leaked via API requests before trust prompts appear. Fixed versions are noted for each issue, including 1.0.87 in September 2025, 1.0.111 in October 2025, and 2.0.65 in January 2026.
What these flaws illustrate is that, in AI-driven development environments, configuration files can effectively become part of the execution layer, potentially broadening the threat model beyond running untrusted code to opening untrusted projects.