Claude Code Under Fire: RCE Flaws and API Key Theft

Critical vulnerabilities discovered in Anthropic’s Claude Code, an AI‑powered command‑line development tool, highlight the growing risks of AI‑assisted development environments. Researchers at Check Point Research (CPR) found flaws that allowed attackers to achieve Remote Code Execution (RCE) and hijack organization API keys, exposing developer machines and shared workspaces to compromise.

The Vulnerabilities

1. RCE via Untrusted Project Hooks
   • Hooks defined in .claude/settings.json could execute commands automatically.
   • Malicious repositories triggered commands (like reverse shells) immediately upon initialization, without explicit user approval.
2. RCE Using MCP Consent Bypass (CVE‑2025‑59536)
   • Claude Code’s Model Context Protocol (MCP) integration allowed external tool interaction.
   • Attackers bypassed consent dialogs using auto‑approve settings, enabling malicious command execution before user interaction.
3. API Key Exfiltration (CVE‑2026‑21852)
   • Environment variables in .claude/settings.json could redirect API traffic.
   • Attackers intercepted API requests, exposing Anthropic API keys in plaintext.
   • Stolen keys enabled billing fraud and unauthorized workspace access.

Why It Matters

• Supply chain risk: Malicious configurations could be injected via pull requests, honeypot repositories, or compromised accounts.
• Developer exposure: Repository‑controlled settings blur the line between configuration and executable code.
• AI attack surface: As AI‑assisted tools proliferate, attackers exploit trust gaps in automation features.

Mitigation Steps

• Update immediately: Apply the latest patched version of Claude Code.
• Treat configs as code: Audit .claude/settings.json and .mcp.json files with the same scrutiny as executable scripts.
• Restrict repository trust: Avoid cloning unverified repositories; enforce code review for configuration changes.
• Enhance developer awareness: Train teams to recognize risks in AI‑assisted workflows.
• Monitor API usage: Track for anomalies in billing or workspace access tied to API keys.

Final Thought

Claude Code’s vulnerabilities underscore a new frontier: AI‑assisted development tools are part of the supply chain. For leaders, the lesson is clear: configuration files can be weaponized just like code. Protecting developer environments now requires not only patching but also rethinking trust in collaborative AI‑driven workflows.