A trio of flaws in Anthropic’s Claude AI, dubbed Claudy Day, could let attackers hide malicious instructions in a pre-filled chat URL and chain them into data theft, researchers from Oasis Security have said. The three flaws are an invisible prompt injection via URL parameters on Claude[.]ai, a data exfiltration channel via the Anthropic Files API, and an open redirect on Claude[.]ai, the Oasis report states.
The attack chain begins when a user searches for Claude on Google and clicks a seemingly legitimate result that actually points to a attacker-controlled page containing a pre-filled prompt with hidden instructions, which can silently exfiltrate sensitive data.
Oasis describes how a threat actor could then wrap the open redirect in a crafted claude[.]com/redirect link, lure the user into a Google Ad, and redirect to claude[.]ai with the hidden instructions executed, allowing access to conversation history and other data. Anthropic has fixed the prompt injection flaw and is addressing the other issues, according to Oasis, with the report published on 19 March 2026 in UK date format.