CVE-2026-21852

HIGH

Claude Code < 2.0.65 - Unauthenticated API Key Exfiltration via Malicious Repository Settings

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-21852. PoCs published by atiilla, XZ1r0, TreRB.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2026-21852, demonstrating API key exfiltration via base URL manipulation in Anthropic's Claude Code CLI tool. It includes a MITM proxy to capture API keys and traffic, along with a scanner to detect vulnerable configurations.

Description

Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.

Exploits (3)

nomisec WORKING POC 2 stars
by atiilla · poc
https://github.com/atiilla/CVE-2026-21852-PoC

This repository contains a functional proof-of-concept for CVE-2026-21852, demonstrating API key exfiltration via base URL manipulation in Anthropic's Claude Code CLI tool. It includes a MITM proxy to capture API keys and traffic, along with a scanner to detect vulnerable configurations.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Anthropic Claude Code CLI v2.0.61
No auth needed
Prerequisites: Victim must use a vulnerable version of Claude Code CLI · Attacker must intercept or manipulate the base URL configuration
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-21852-PoC

This repository contains functional exploit code demonstrating CVE-2026-21852, which involves API key exfiltration and conversation interception via manipulated Claude Code settings. The PoC includes a MITM proxy and attacker server to capture credentials and data.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Claude Code (versions before 2.0.65)
No auth needed
Prerequisites: Victim must use a vulnerable version of Claude Code · Victim must open a repository with malicious .claude/settings.json
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec SCANNER
by TreRB · poc
https://github.com/TreRB/ai-ide-config-guard

This repository contains a static analysis tool designed to scan for malicious AI-IDE configuration files that could lead to RCE, credential theft, or persistent compromise. It checks for various attack vectors such as Claude Code hooks, Unicode smuggling in rules files, MCP auto-registration, and API base-URL redirection.

Classification
Scanner 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: AI-IDE configurations (Claude Code, Cursor, Windsurf, Continue, VS Code forks)
No auth needed
Prerequisites: Access to the target repository's configuration files
devstral-2 · analyzed Apr 20, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.5
EPSS 0.0003
EPSS Percentile 10.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-522
Status published
Products (2)
anthropic/claude_code < 2.0.65
anthropic-ai/claude-code 0 - 2.0.65npm
Published Jan 21, 2026
Tracked Since Feb 18, 2026