CATCHING attention with the headline Caught in the Hook, Check Point Research reveals three configuration-based vulnerabilities in Anthropic’s Claude Code that enable remote code execution and API key exfiltration, tracked as CVE-2025-59536 and CVE-2026-21852.
According to Check Point Research, the flaws arise from repository-controlled settings in .claude/settings[.]json and .mcp[.]json, which can trigger arbitrary shell commands via untrusted project hooks, or bypass user consent through MCP server initialisation.
The analysis demonstrates how an attacker could exfiltrate full Anthropic API keys by overriding ANTHROPIC_BASE_URL, watch these requests in plaintext with mitmproxy, and misuse a stolen key to access Workspaces and other resources, including regenerating non-downloadable files to bypass protections. The publication, dated 25 February 2026, notes that Anthropic patched the issues prior to publication and implemented safeguards such as improved consent prompts and network operation delays.
Authors Aviv Donenfeld and Oded Vanunu underscore that supply chain-style distribution of malicious configurations through PRs or Honeypot repositories amplifies the risk to development teams. Public disclosure followed a coordinated timeline, culminating in fixes for the three vulnerabilities and guidance to keep Claude Code up to date.