CVE-2026-21852

Name of the Vulnerable Software and Affected Versions Claude Code versions prior to 2.0.65

Description Claude Code, an agentic coding tool, had a flaw in its project-load process. This allowed malicious repositories to steal sensitive data, including Anthropic API keys, before a user had a chance to confirm trust. An attacker could craft a repository containing a settings file that modified the ANTHROPIC BASE URL to point to an attacker-controlled endpoint. When a user opened this repository with Claude Code, the tool would immediately make API requests to the attacker's server, potentially exposing the user's API keys. The vulnerability was exploited by overriding the ANTHROPIC BASE URL setting, causing API requests to be sent to an attacker's server before the trust prompt appeared. The API key was then transmitted in plaintext within the Authorization header. The leak of the source code for Claude Code exposed the internal "YOLO" flag, which bypasses safety checks, and the "Query Engine," which manages multi-agent swarms. This leak also revealed vulnerabilities that could lead to supply chain poisoning. Approximately 4% of all public GitHub commits in 2026 were made using Claude Code, increasing the potential impact of this vulnerability.

Recommendations Update to Claude Code version 2.0.65 or a later version.