THREE critical vulnerabilities in Anthropic’s Claude Code were disclosed, exposing developers to full machine takeover and credential theft simply by opening a project repository. The flaws, tracked as CVE-2025-59356 and CVE-2025-59536, involve Claude Code’s Hooks feature and the Model Context Protocol, with the latter also linked to configuration files that can execute malicious commands before a user is warned.
A third flaw, CVE-2026-21852, broadened the scope to allow API keys to be harvested without user interaction, by intercepting communications between Claude Code and Anthropic’s servers.
These issues were discovered by Check Point Research, who reported them to Anthropic last year, and Anthropic states it fixed the problems and plans additional security features while guiding users to update to Claude Code version 2.0.65 or later; according to Check Point researchers Aviv Donenfeld and Oded Vanunu, the vulnerabilities underscore the security risks of enabling active execution paths through configuration files in development tools.