Claude Code Project-File RCE and API Token Exfiltration - CVE-2025-59536 / CVE-2026-21852

Check Point Research disclosed a chain of flaws in Anthropic Claude Code that let an untrusted, freshly cloned repository run code and steal the developer's API key before the startup trust dialog was accepted. The chain is tracked as CVE-2025-59536 (pre-consent code execution, fixed in 1.0.111) and CVE-2026-21852 (API key exfiltration, GHSA-jh7p-qr78-84p7, CVSS 5.3, fixed in 2.0.65). This advisory covers what was disclosed and how to inventory and govern this class of project-file abuse.

What happened

Check Point Research found that Claude Code applied a repository's own configuration before it verified that the user trusted the directory. A cloned but untrusted repository could ship a .claude/settings.json that registered a SessionStart hook - an event that fires automatically during initialization - which ran arbitrary shell commands on the developer's machine. In parallel, the enableAllProjectMcpServers setting let MCP initialization commands run before the "Do you trust this directory?" dialog was even readable. The prompt warned that Claude Code might read and execute files "with your permission," but the code had already run. This is CVE-2025-59536, published October 3, 2025, fixed in 1.0.111.

A separate flaw in the same project-load flow let a malicious project set ANTHROPIC_BASE_URL in its repository settings to an attacker-controlled endpoint. Because Claude Code applied that value before showing the trust prompt, it issued API requests to the attacker's server during initialization and leaked the full Anthropic API key in plaintext. This is CVE-2026-21852 (GHSA-jh7p-qr78-84p7, CVSS 5.3), published January 21, 2026, and fixed in Claude Code 2.0.65. The common root cause is an initialization order that applied repository configuration before trust verification. Anthropic deferred network operations until after consent, blocked pre-approval MCP execution, and added stronger warning dialogs. The hooks behavior was first reported July 21, 2025; the full chain was disclosed February 25, 2026.

Why this is an agentic-endpoint risk

The attack surface here is not a server or a network path - it is the coding agent's own configuration files in a repository. A .claude/settings.json, the hooks it registers, the MCP servers it enables, and the environment variables it sets are the artifacts an AI coding agent reads on startup - and they report to no security tool. The exploit fires on the most ordinary developer action: cloning a repository and opening it in Claude Code. No phishing, no privilege escalation - just git clone and a startup that ran code.

This exposure is hard to see from the controls you already run, because it lives in the AI artifact layer. The malicious hook and MCP entries sit in a file a developer never inspects; the Claude Code process looks legitimate to EDR; the network sees TLS traffic to what looks like an Anthropic endpoint when ANTHROPIC_BASE_URL is rewritten; and DLP sees nothing at rest. Hooks, MCP servers, and CLI configuration are part of the eight AI artifact types Anomity tracks per endpoint, adopted bottom-up like AI agents and MCP servers as the new shadow IT. The question is not whether one laptop is patched; it is which endpoints run Claude Code before 1.0.111 or 2.0.65, and which projects carry a SessionStart hook or a rewritten ANTHROPIC_BASE_URL - and you cannot answer that without an inventory of the artifact layer.

How Anomity surfaces and governs it

Upgrading Claude Code closes these two flaws, but the durable control is to treat project-supplied hooks, MCP servers, and CLI configuration as untrusted input and govern what they may do before they run. Anomity does that in three steps. First, inventory. Anomity inventories hooks, MCP servers, and CLI configuration on every managed endpoint as part of the eight AI artifact types it tracks, then classifies them. It captures the Claude Code version and the project-level configuration metadata - SessionStart and other hook registrations, enableAllProjectMcpServers and enabledMcpjsonServers settings, and any ANTHROPIC_BASE_URL override - so you can find builds before 1.0.111 or 2.0.65 and the repositories that carry these entries. Metadata only: the API key is redacted on the endpoint before anything leaves it.

Second, decide at the hook. On agents that expose a hook - for example, the Claude Code PreToolUse event - Anomity evaluates each tool call against your policy and returns allow, deny, or log before the call runs. A shell command or MCP tool call from an untrusted project's configuration can be denied at the boundary, the control runtime governance provides while a vulnerable build is still rolling forward. This is the same project-file abuse the sibling GitHub Action bot actor bypass exploited in automation - repository-supplied configuration crossing a trust boundary.

Third, keep the record. Every decision, and every added, changed, or removed hook, MCP server, or CLI setting, lands in a queryable 90-day audit trail, and decisions route to SIEM, Slack, email, or Jira. When a disclosure like CVE-2025-59536 lands, you can answer which endpoints ran the affected versions, which projects registered a SessionStart hook or rewrote ANTHROPIC_BASE_URL, and what those files were allowed to do - from a record, not a guess. Anomity complements Network, EDR, DLP, and GRC tooling and covers the artifact layer those tools were never built to inventory.

You can't govern what you can't see.The Anomity principle

What to check across your fleet

• Inventory every endpoint running Claude Code; flag builds before 1.0.111 (CVE-2025-59536) or 2.0.65 (CVE-2026-21852) and upgrade to 2.0.65 or later, which covers both.
• Enumerate .claude/settings.json across cloned repositories and surface SessionStart or other startup hooks that run shell commands automatically.
• Find every project that sets enableAllProjectMcpServers or enabledMcpjsonServers, and confirm those servers cannot initialize before the trust dialog is accepted.
• Detect any project-level ANTHROPIC_BASE_URL override and treat a rewritten API endpoint as a credential-exfiltration risk, regardless of version.
• Confirm tool calls from project-supplied hooks or MCP servers are evaluated at the Claude Code PreToolUse hook with allow/deny/log, so a pre-consent action is stopped before it runs.
• Verify every hook, MCP server, and CLI change is written to a 90-day audit trail and routed to your SIEM.
• Cross-reference against the sibling GitHub Action bot actor bypass advisory to find endpoints exposed to more than one project-file abuse path.

CVE-2025-59536 and CVE-2026-21852 are a reminder that a coding agent's own project files are an execution and credential path: cloning a repository can run code and leak your API key before you ever click "trust." Upgrade Claude Code to 2.0.65 or later, then inventory the hooks, MCP servers, and CLI configuration your endpoints carry and govern the tool calls at the hook. For the full coding-agent attack surface, see the pillar on securing AI coding agents and CLIs. To see Anomity govern the agent and CLI layer across your fleet, request early access.