--- title: "Critical Claude Code Vulnerabilities Allowed Remote Code Execution and API Key Theft" description: "Check Point Research discovers critical flaws in Claude Code exploiting hooks, MCP servers, and env variables to achieve RCE and exfiltrate API credentials from developer machines." canonical: https://callsphere.ai/blog/claude-code-rce-vulnerabilities-cve-2026-21852 category: "AI News" tags: ["Claude Code", "CVE", "Security Vulnerability", "RCE", "API Key Theft"] author: "CallSphere Team" published: 2026-02-18T00:00:00.000Z updated: 2026-05-08T17:27:37.028Z --- # Critical Claude Code Vulnerabilities Allowed Remote Code Execution and API Key Theft > Check Point Research discovers critical flaws in Claude Code exploiting hooks, MCP servers, and env variables to achieve RCE and exfiltrate API credentials from developer machines. ## AI Coding Tools Face Security Scrutiny Check Point Research disclosed critical vulnerabilities in Anthropic's Claude Code that allowed attackers to achieve remote code execution and steal API credentials through malicious project configurations. ### The Vulnerabilities **CVE-2025-59536 (CVSS 8.7):** A code injection vulnerability that executed arbitrary shell commands automatically when a user started Claude Code in an untrusted directory. The attack triggered during tool initialization — before any user action. **CVE-2026-21852 (CVSS 5.3):** A broader flaw that harvested developers' API keys with **no user interaction required**. If a repository's settings file set ANTHROPIC_BASE_URL to an attacker-controlled endpoint, Claude Code would issue API requests (including API keys) before showing the trust prompt. ```mermaid flowchart TD HUB(("AI Coding Tools Face Security Scrutiny")) HUB --> L0["The Vulnerabilities"] style L0 fill:#e0e7ff,stroke:#6366f1,color:#1e293b HUB --> L1["Attack Vectors"] style L1 fill:#e0e7ff,stroke:#6366f1,color:#1e293b HUB --> L2["The Risk"] style L2 fill:#e0e7ff,stroke:#6366f1,color:#1e293b HUB --> L3["Fixes Applied"] style L3 fill:#e0e7ff,stroke:#6366f1,color:#1e293b style HUB fill:#4f46e5,stroke:#4338ca,color:#fff ``` ### Attack Vectors The vulnerabilities exploited three Claude Code configuration mechanisms: 1. **Hooks** — Custom shell commands triggered by events 2. **MCP Servers** — Model Context Protocol server configurations 3. **Environment Variables** — Project-level variable overrides ### The Risk Any developer who cloned and opened an untrusted repository could have their: - Machine compromised with arbitrary code execution - Anthropic API key exfiltrated to attacker-controlled servers - Development environment compromised ### Fixes Applied - CVE-2025-59536: Fixed in Claude Code version 1.0.111 (October 2025) - CVE-2026-21852: Fixed in Claude Code version 2.0.65 (January 2026) All reported issues were patched before the public disclosure. **Source:** [Check Point Research](https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/) | [The Hacker News](https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html) | [Dark Reading](https://www.darkreading.com/application-security/flaws-claude-code-developer-machines-risk) | [CyberSecurity News](https://cybersecuritynews.com/claude-code-vulnerabilities/) ```mermaid flowchart LR IN(["Input prompt"]) subgraph PRE["Pre processing"] TOK["Tokenize"] EMB["Embed"] end subgraph CORE["Model Core"] ATTN["Self attention layers"] MLP["Feed forward layers"] end subgraph POST["Post processing"] SAMP["Sampling"] DETOK["Detokenize"] end OUT(["Generated text"]) IN --> TOK --> EMB --> ATTN --> MLP --> SAMP --> DETOK --> OUT style IN fill:#f1f5f9,stroke:#64748b,color:#0f172a style CORE fill:#ede9fe,stroke:#7c3aed,color:#1e1b4b style OUT fill:#059669,stroke:#047857,color:#fff ``` ```mermaid flowchart TD HUB(("AI Coding Tools Face Security Scrutiny")) HUB --> L0["The Vulnerabilities"] style L0 fill:#e0e7ff,stroke:#6366f1,color:#1e293b HUB --> L1["Attack Vectors"] style L1 fill:#e0e7ff,stroke:#6366f1,color:#1e293b HUB --> L2["The Risk"] style L2 fill:#e0e7ff,stroke:#6366f1,color:#1e293b HUB --> L3["Fixes Applied"] style L3 fill:#e0e7ff,stroke:#6366f1,color:#1e293b style HUB fill:#4f46e5,stroke:#4338ca,color:#fff ``` ## Critical Claude Code Vulnerabilities Allowed Remote Code Execution and API Key Theft — operator perspective Reading Critical Claude Code Vulnerabilities Allowed Remote Code Execution and API Key Theft as an operator, the question isn't 'is this exciting?' — it's 'does this change anything in my agent loop, my prompt cache, or my cost per session?' The CallSphere stack treats announcements as input to an evals queue, not a product roadmap. Production agents stay pinned; new releases earn their slot only after a regression suite confirms cost, latency, and tool-call reliability move the right way. ## What AI news actually moves the needle for SMB call automation Most AI news is noise. A new benchmark score, a leaderboard reshuffle, a leaked memo — none of it changes whether your AI receptionist books appointments without dropping the call. The handful of things that *do* move production AI voice and chat are concrete: realtime API stability (does the WebSocket survive 5+ minutes without a stall?), language coverage (does it handle 57+ languages with usable accents, or is English the only first-class citizen?), tool-use reliability (does the model actually call the right function with the right argument types under load?), multi-agent handoffs (do specialist agents receive structured context, or just transcripts?), and latency under load (p95 first-token under 800ms when 200 concurrent calls hit the same endpoint?). The CallSphere rule on news is: if it doesn't move at least one of those five numbers in a measurable eval, it's a blog post, not a product change. What to track: provider changelogs for realtime endpoints, tool-call schema changes, language-add announcements, and any deprecation that pins your stack to a sunset date. What to ignore: leaderboard wins on tasks that don't map to your call flow, "agentic" benchmarks that don't measure tool latency, and demos that work because the prompt was hand-tuned for the demo. The teams that ship fastest treat AI news the same way ops teams treat CVE feeds — read everything, act on the small fraction that touches your runtime, archive the rest. ## FAQs **Q: How does critical Claude Code Vulnerabilities Allowed Remote Code Execution and API Key Theft change anything for a production AI voice stack?** A: Most of the time it doesn't, and that's the right starting assumption. The relevant test is whether it improves at least one of: p95 first-token latency, tool-call argument accuracy on noisy inputs, multi-turn handoff stability, or per-session cost. CallSphere ships in 57+ languages, is HIPAA and SOC 2 aligned, and runs voice, chat, SMS, and WhatsApp from the same agent stack. **Q: What's the eval gate critical Claude Code Vulnerabilities Allowed Remote Code Execution and API Key Theft would have to pass at CallSphere?** A: The eval gate is unsentimental — a regression suite that simulates real call traffic (noisy ASR, partial inputs, tool-call timeouts) measures four numbers, and a candidate has to win on three of four without losing badly on the fourth. Anything else is treated as a blog post, not a stack change. **Q: Where would critical Claude Code Vulnerabilities Allowed Remote Code Execution and API Key Theft land first in a CallSphere deployment?** A: In a CallSphere deployment, new model and API capabilities land first in the post-call analytics pipeline (lower stakes, async, easy to roll back) and only later in the live realtime path. Today the verticals most likely to absorb new capability first are Real Estate and Sales, which already run the largest share of production traffic. ## See it live Want to see it helpdesk agents handle real traffic? Walk through https://urackit.callsphere.tech or grab 20 minutes with the founder: https://calendly.com/sagar-callsphere/new-meeting. --- Source: https://callsphere.ai/blog/claude-code-rce-vulnerabilities-cve-2026-21852