CVE-2026-21852
Published: 21 January 2026
Summary
CVE-2026-21852 is a medium-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Anthropic Claude Code. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-21852 is a vulnerability in Claude Code, an agentic coding tool developed by Anthropic, affecting versions prior to 2.0.65. The issue resides in the project's load flow, where malicious repositories can exfiltrate sensitive data, including users' Anthropic API keys, before a trust confirmation prompt is displayed. Specifically, an attacker-controlled repository can include a settings file that overrides the ANTHROPIC_BASE_URL environment variable to point to an attacker-controlled endpoint. Upon opening the repository, Claude Code reads this configuration and issues API requests immediately, bypassing user approval. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-522 (Insufficiently Protected Credentials).
Attackers can exploit this vulnerability remotely with no privileges or user interaction beyond convincing a target to open a malicious repository, such as via social engineering through shared links or recommendations. No authentication is required, making it accessible to any remote adversary. Successful exploitation allows the attacker to capture API requests containing the victim's Anthropic API keys, enabling unauthorized access to the victim's Anthropic services, potential further compromise of associated accounts, and exfiltration of additional data processed through those APIs.
The security advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7 recommends updating to version 2.0.65 or later, which includes a patch addressing the configuration override issue. Users on the standard auto-update channel have already received the fix, while those using manual updates must apply it explicitly to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3597
Vulnerability details
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that…
more
sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: anthropic, claude
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables theft of Anthropic API access tokens via malicious repo config override and immediate exfiltration over attacker-controlled web endpoint before any user approval.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the vulnerability by requiring timely flaw remediation through patching to version 2.0.65 or later, preventing malicious repository configuration overrides.
Enforces secure baseline configuration settings that prevent untrusted repositories from overriding critical parameters like ANTHROPIC_BASE_URL before user trust confirmation.
Validates inputs from malicious repository settings files to block exfiltration attempts via overridden API endpoints prior to user approval.