Cyber Resilience

CVE-2026-21852

Medium

Published: 21 January 2026

Published
21 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.3th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21852 is a medium-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Anthropic Claude Code. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-21852 is a vulnerability in Claude Code, an agentic coding tool developed by Anthropic, affecting versions prior to 2.0.65. The issue resides in the project's load flow, where malicious repositories can exfiltrate sensitive data, including users' Anthropic API keys, before a trust confirmation prompt is displayed. Specifically, an attacker-controlled repository can include a settings file that overrides the ANTHROPIC_BASE_URL environment variable to point to an attacker-controlled endpoint. Upon opening the repository, Claude Code reads this configuration and issues API requests immediately, bypassing user approval. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-522 (Insufficiently Protected Credentials).

Attackers can exploit this vulnerability remotely with no privileges or user interaction beyond convincing a target to open a malicious repository, such as via social engineering through shared links or recommendations. No authentication is required, making it accessible to any remote adversary. Successful exploitation allows the attacker to capture API requests containing the victim's Anthropic API keys, enabling unauthorized access to the victim's Anthropic services, potential further compromise of associated accounts, and exfiltration of additional data processed through those APIs.

The security advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7 recommends updating to version 2.0.65 or later, which includes a patch addressing the configuration override issue. Users on the standard auto-update channel have already received the fix, while those using manual updates must apply it explicitly to mitigate the risk.

EU & UK References

Vulnerability details

Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that…

more

sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: anthropic, claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
T1041 Exfiltration Over C2 Channel Exfiltration
Adversaries may steal data by exfiltrating it over an existing command and control channel.
Why these techniques?

Vulnerability directly enables theft of Anthropic API access tokens via malicious repo config override and immediate exfiltration over attacker-controlled web endpoint before any user approval.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24052Same product: Anthropic Claude Code
CVE-2026-24887Same product: Anthropic Claude Code
CVE-2026-25725Same product: Anthropic Claude Code
CVE-2026-33068Same product: Anthropic Claude Code
CVE-2026-25724Same product: Anthropic Claude Code
CVE-2026-39861Same product: Anthropic Claude Code
CVE-2026-25722Same product: Anthropic Claude Code
CVE-2026-40068Same product: Anthropic Claude Code
CVE-2025-54795Same product: Anthropic Claude Code
CVE-2025-64755Same product: Anthropic Claude Code

Affected Assets

anthropic
claude code
≤ 2.0.65

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely flaw remediation through patching to version 2.0.65 or later, preventing malicious repository configuration overrides.

prevent

Enforces secure baseline configuration settings that prevent untrusted repositories from overriding critical parameters like ANTHROPIC_BASE_URL before user trust confirmation.

prevent

Validates inputs from malicious repository settings files to block exfiltration attempts via overridden API endpoints prior to user approval.

References