CVE-2026-21852
Published: 21 January 2026
Summary
CVE-2026-21852 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Anthropic Claude Code. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as APIs and Models.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Training instructs users on protecting credentials from disclosure or unauthorized access.
Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials.
Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.
Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials.
Terminating or revoking credentials stops use of insufficiently protected or lingering credentials post-termination.
Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores.
Credentials or keys delivered out-of-band are not exposed to interception or inadequate protection on the main transport.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables theft of Anthropic API access tokens via malicious repo config override and immediate exfiltration over attacker-controlled web endpoint before any user approval.
NVD Description
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that…
more
sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.
Deeper analysisAI
CVE-2026-21852 is a vulnerability in Claude Code, an agentic coding tool developed by Anthropic, affecting versions prior to 2.0.65. The issue resides in the project's load flow, where malicious repositories can exfiltrate sensitive data, including users' Anthropic API keys, before a trust confirmation prompt is displayed. Specifically, an attacker-controlled repository can include a settings file that overrides the ANTHROPIC_BASE_URL environment variable to point to an attacker-controlled endpoint. Upon opening the repository, Claude Code reads this configuration and issues API requests immediately, bypassing user approval. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-522 (Insufficiently Protected Credentials).
Attackers can exploit this vulnerability remotely with no privileges or user interaction beyond convincing a target to open a malicious repository, such as via social engineering through shared links or recommendations. No authentication is required, making it accessible to any remote adversary. Successful exploitation allows the attacker to capture API requests containing the victim's Anthropic API keys, enabling unauthorized access to the victim's Anthropic services, potential further compromise of associated accounts, and exfiltration of additional data processed through those APIs.
The security advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7 recommends updating to version 2.0.65 or later, which includes a patch addressing the configuration override issue. Users on the standard auto-update channel have already received the fix, while those using manual updates must apply it explicitly to mitigate the risk.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude, claude, claude, claude