CVE-2026-21852
📋 TL;DR
This vulnerability in Claude Code versions before 2.0.65 allows malicious repositories to exfiltrate Anthropic API keys before users confirm trust. When opening a repository with a specially crafted settings file, Claude Code would automatically send API requests to attacker-controlled endpoints, potentially leaking sensitive credentials. Users who manually update Claude Code are affected; auto-update users have already received the fix.
💻 Affected Systems
- Claude Code
📦 What is this software?
Claude Code by Anthropic
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Anthropic API keys leading to unauthorized API usage, data exfiltration, and potential account takeover or financial impact.
Likely Case
API key exposure resulting in unauthorized API calls, potential quota exhaustion, and limited data leakage from API interactions.
If Mitigated
No impact if using version 2.0.65+ or with proper repository trust verification before loading.
🎯 Exploit Status
Exploitation requires user interaction (opening a malicious repository) but is straightforward once the repository is loaded.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.65
Vendor Advisory: https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7
Restart Required: Yes
Instructions:
1. Open Claude Code. 2. Check current version in settings/about. 3. If below 2.0.65, download latest version from official source. 4. Install update. 5. Restart Claude Code.
🔧 Temporary Workarounds
Disable automatic repository loading
allPrevent Claude Code from automatically loading repository configurations until trust is explicitly confirmed.
Use only trusted repositories
allOnly open repositories from verified, trusted sources until patched.
🧯 If You Can't Patch
- Monitor Anthropic API usage for unexpected activity and rotate API keys immediately.
- Avoid opening any untrusted repositories in Claude Code until patched.
🔍 How to Verify
Check if Vulnerable:
Check Claude Code version in settings/about menu; if version is below 2.0.65, you are vulnerable.Check Version:
Check version in Claude Code settings/about menu (no CLI command available).Verify Fix Applied:
After updating, verify version shows 2.0.65 or higher in settings/about menu.📡 Detection & Monitoring
Log Indicators:
- Unexpected API calls to non-Anthropic domains
- Failed authentication attempts from unusual locations
Network Indicators:
- Outbound connections to non-Anthropic endpoints (api.anthropic.com) from Claude Code
SIEM Query:
destination_ip != 'api.anthropic.com' AND process_name = 'claude-code' AND protocol = 'https'