AI Development Tool Exposed: Claude Code RCE and API Key Hijacking Risks Disclosed
Critical vulnerabilities were identified in Anthropic’s Claude Code, an AI-powered command-line development assistant, enabling Remote Code Execution (RCE) and potential API key exfiltration through repository-controlled configuration files.
The issues were reported by Check Point Research and patched by Anthropic prior to public disclosure.
This case highlights a structural shift in risk. AI development tools are now part of the execution surface.
What Was Exploited
Claude Code enables project-level configuration through files stored directly inside repositories, including:
.claude/settings.json.mcp.json
Because these files are inherited when a repository is cloned, any malicious configuration embedded inside a project can execute automatically on a developer’s machine.
In other words, configuration became code execution.
Vulnerability 1: Remote Code Execution via Project Hooks
Claude Code supports “Hooks”, automated commands triggered during specific lifecycle events.
Researchers demonstrated that a malicious repository could define a hook set to trigger on session initialization.
Upon cloning and opening the project, arbitrary shell commands executed immediately.
User trust prompts did not prevent execution in time.
This enabled:
Reverse shell creation
Arbitrary command execution
Silent background compromise
Vulnerability 2: MCP Consent Bypass (CVE-2025-59536)
Claude Code integrates with external tools through the Model Context Protocol (MCP).
Although a consent dialog was implemented after initial disclosure, researchers identified a configuration-based bypass using:
enableAllProjectMcpServersenabledMcpjsonServers
This allowed automatic approval and execution of malicious MCP servers before meaningful user interaction.
Result: Remote Code Execution again.
Vulnerability 3: API Key Exfiltration (CVE-2026-21852)
Researchers discovered that environment variables defined in .claude/settings.json could redirect the API communication endpoint.
By modifying ANTHROPIC_BASE_URL, attackers were able to intercept outbound API requests.
Critically:
The full Anthropic API key was transmitted in plaintext within the authorization header before explicit trust confirmation.
A stolen API key could enable:
Unauthorized API usage
Billing fraud
Access to shared workspaces
Indirect exposure of internal team assets
Why This Matters
This is not a typical vulnerability.
It demonstrates:
Configuration-driven execution risk
Repository-based supply chain exposure
AI tooling embedded inside developer workflows
Identity and API key leakage before user consent
AI tools are now part of the management and execution plane.
If configuration files are not treated as executable code, they become an invisible attack vector.
DIAMATIX Perspective
This case reinforces three architectural realities:
Developer tools are high-value targets.
AI assistants operate with privileged context.
Configuration inheritance creates implicit trust chains.
The attack did not exploit a memory corruption flaw.
It exploited workflow assumptions.
Organizations should:
Treat repository configuration files as executable risk
Restrict automatic execution in development tools
Avoid storing production API keys locally
Implement strong identity governance for AI tool usage
Monitor outbound connections from development endpoints
AI-assisted development increases productivity.
It also increases implicit execution pathways.
Remediation Status
Anthropic has:
Hardened trust dialogs
Prevented automatic MCP execution prior to user consent
Deferred API communications until explicit approval
Developers are advised to update to the latest Claude Code version.
Sources
This analysis is based on publicly available technical disclosures from Check Point Research and vendor security updates from Anthropic.
Trusted · Innovative · Vigilant
