← Intel
The Claude Code CVEs Are Not a Patching Story
📰

Reacting to:

Claude Code Critical Flaws Allowed RCE and API Token Theft
supply-chainthreat-intelligencemcpagentic-securitydeveloper-tooling

The Claude Code CVEs Are Not a Patching Story

Two critical flaws in Claude Code — RCE via malicious settings files, silent API key interception — show that the real attack surface isn't the model. It's the config layer your agent trusts before any dialog appears.

Ofir Stein·February 27, 2026note

Check Point Research dropped two CVEs this week for Claude Code, and the coverage has mostly framed them as a patching story. That's the wrong frame.

CVE-2025-59536: a malicious .claude/settings.json anywhere in a repo can auto-execute shell commands through the Hooks and MCP features — without meaningful user consent. CVE-2026-21852: an attacker-set ANTHROPIC_BASE_URL in a project config file silently intercepts every API call before any trust dialog appears, stealing the user's Anthropic key in plaintext.

Both are patched. That's not the point.

The point is where these attacks lived: in the config layer. Not in the model's weights. Not in the inference path. In the privileged initialization environment that the tooling trusts unconditionally when it loads a project. The settings file runs before the agent asks for permission. The base URL override routes traffic before the user sees anything.

This is inherited-privilege exploitation at the toolchain level, and it's the same structural pattern that's showing up everywhere right now. This week alone: a new CVE in the MCP SDK (CVE-2026-25536) exploits authenticated sessions — proving authentication alone is insufficient when the protocol layer itself has no trust boundaries. A scan of 560 MCP servers found 36% with zero authentication at all. One RSA session demo will show full Azure tenant takeover through a single MCP vulnerability.

The common thread isn't any specific bug. It's that the security model for agent tooling was built on assumptions borrowed from traditional software: the config environment is trusted, the tool layer is trusted, the protocol is trusted. None of those assumptions hold when agents are being handed repo access, production credentials, and shell execution by default.

Defenders are still thinking about this as a prompt injection problem — watching what the agent says and does at inference time. But the Claude Code CVEs are a reminder that the compromise can happen before the agent ever processes a single token. The attack surface is the initialization path, not the conversation.

Patching these specific CVEs is the right call. But if your threat model ends at "keep the tooling updated," you're one malicious .claude/settings.json away from finding out what you missed.

← All IntelDeep dives →