Three significant security vulnerabilities have been identified in Anthropic’s AI-powered coding tool, Claude Code. These flaws could potentially allow unauthorized access to developers' machines and enable credential theft simply by opening a project repository.
Anthropic addressed these issues after Check Point Research uncovered the vulnerabilities and reported them last year. The company is working on introducing enhanced security features to strengthen the coding platform. In the meantime, developers are advised to use the latest version of Claude Code to ensure their protection.
New Exposures
Check Point researchers Aviv Donenfeld and Oded Vanunu emphasized the importance of security in modern development tools, stating, "These vulnerabilities in Claude Code highlight a critical challenge: balancing powerful automation features with security." They explained that the ability to execute arbitrary commands through repository-controlled configuration files poses severe supply chain risks, as even a single malicious commit could compromise any developer working with the affected repository.
Two of the vulnerabilities are interconnected and revolve around configuration files in a project repository that execute commands without proper user consent. Anthropic has assigned a single identifier, CVE-2025-59536, to track both of these flaws. The third vulnerability, CVE-2026-21852, affects Claude Code versions prior to 2.0.65 and allows for API credential theft through malicious project configurations.
Claude Code serves as a command-line coding tool for developers, enabling them to generate and edit code, fix bugs, execute shell commands, and automate tasks such as code testing. It is part of a rapidly expanding category of AI development tools that many organizations are leveraging to accelerate software development. Other similar tools include GitHub Copilot, Amazon CodeWhisperer, and OpenAI's Codex. Analysts have raised concerns about the new attack surfaces these tools may introduce due to their direct access to source code and local files, which sometimes include credentials within production environments. Additionally, there are risks associated with the tools themselves, such as hallucinations and the potential generation of insecure and vulnerable code.
Configuration Files as Attack Vector
One of the vulnerabilities identified by Check Point, CVE-2025-59356, involves a feature in Claude Code known as Hooks. This feature allows developers to enforce consistent behaviors, like code formatting, at specific points in a project life cycle. However, researchers found that it was relatively simple for an attacker to introduce a malicious Hook command in a project's configuration file. When a developer subsequently opened that project, the malicious commands would execute automatically, without their knowledge or consent. Check Point even developed an exploit to demonstrate how an adversary could leverage this vulnerability to gain remote access to a developer's terminal, with full privileges.
The second vulnerability, also tracked as CVE-2025-59536, is related to Claude Code's Model Context Protocol (MCP) setting, which connects the coding platform with external services and tools. Similar to the Hooks feature, Check Point discovered that developers could configure MCP servers within a project repository using the related configuration file. An attacker with access to this configuration file could execute malicious commands even before any user warning appeared on the developer's screen.
The third vulnerability, CVE-2026-21852, is broader in scope and allows an attacker to harvest a developer's API key without any user interaction. By adjusting a setting in a project's configuration file, Check Point researchers were able to intercept API-related communications between Claude Code and Anthropic's servers. They could redirect these communications to a server controlled by the attacker and log the API key before the user received any warning.
Donenfeld and Vanunu highlighted the dual nature of integrating AI into development workflows, stating, "The integration of AI into development workflows brings tremendous productivity benefits but also introduces new attack surfaces that weren't present in traditional tools. Configuration files that were once passive data now control active execution paths."
