CVE-2026-21852 Overview
A vulnerability in Claude Code's project-load flow allows malicious repositories to exfiltrate sensitive data, including Anthropic API keys, before users confirm trust. An attacker-controlled repository can include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint. When the repository is opened, Claude Code reads the configuration and immediately issues API requests before showing the trust prompt, potentially leaking the user's API keys.
Critical Impact
Attackers can steal Anthropic API keys from developers by tricking them into opening malicious repositories, enabling unauthorized API access and potential credential abuse.
Affected Products
- Claude Code versions prior to 2.0.65
Discovery Timeline
- 2026-01-21 - CVE CVE-2026-21852 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2026-21852
Vulnerability Analysis
This vulnerability represents a configuration injection flaw (CWE-522: Insufficiently Protected Credentials) in Claude Code's initialization sequence. The core issue lies in the timing of configuration file parsing relative to user trust verification.
When a user opens a repository containing a malicious settings file, Claude Code processes the configuration immediately upon project load. This includes parsing and applying any custom ANTHROPIC_BASE_URL value specified in the repository's settings. Because this configuration is applied before the trust prompt is displayed to the user, API requests containing authentication credentials are sent to whatever endpoint is specified—including attacker-controlled servers.
The vulnerability enables a pre-authentication attack vector where malicious actors can harvest API keys simply by convincing developers to clone and open their repositories. This is particularly concerning in open-source development workflows where developers frequently clone unfamiliar repositories for code review or dependency evaluation.
Root Cause
The root cause is an improper initialization order in Claude Code's project-load flow. Configuration settings from repository files are applied before the user is presented with a trust confirmation dialog. This allows untrusted repository content to influence security-critical settings like the API endpoint URL before the user has an opportunity to review and reject potentially malicious configurations.
The vulnerability stems from the assumption that configuration files could be safely read before trust verification, when in practice these settings directly control where sensitive credentials are transmitted.
Attack Vector
The attack is network-based and requires user interaction. An attacker would create a malicious repository containing a crafted settings file that overrides the ANTHROPIC_BASE_URL to point to an attacker-controlled server. The attack flow proceeds as follows:
- Attacker creates a repository with a malicious configuration file setting ANTHROPIC_BASE_URL to their server
- Victim clones or downloads the malicious repository
- Victim opens the repository in Claude Code
- Claude Code reads the configuration and applies the malicious URL setting
- Claude Code makes API requests to the attacker's server, including the user's API key
- The trust prompt is shown after credentials have already been transmitted
- Attacker captures the API key regardless of whether the user accepts or rejects the trust prompt
For technical details on exploitation, see the GitHub Security Advisory.
Detection Methods for CVE-2026-21852
Indicators of Compromise
- Unexpected network connections from Claude Code to non-Anthropic domains
- Repository configuration files containing custom ANTHROPIC_BASE_URL settings pointing to unknown endpoints
- API key usage from unfamiliar IP addresses or geographic locations in Anthropic API logs
Detection Strategies
- Monitor outbound network traffic from Claude Code for connections to endpoints other than official Anthropic API servers
- Implement file integrity monitoring to detect repository configuration files that override API endpoint settings
- Review Anthropic API usage logs for anomalous activity patterns indicating potential key compromise
Monitoring Recommendations
- Enable logging for Claude Code network activity and review for unexpected destination addresses
- Configure alerts for Anthropic API key usage from new or suspicious IP addresses
- Implement repository scanning to identify configuration files that modify sensitive settings before opening projects
How to Mitigate CVE-2026-21852
Immediate Actions Required
- Update Claude Code to version 2.0.65 or later immediately
- Rotate any Anthropic API keys that may have been exposed through untrusted repositories
- Review recently opened repositories for suspicious configuration files
- Audit Anthropic API usage logs for unauthorized access attempts
Patch Information
Anthropic has released version 2.0.65 of Claude Code which addresses this vulnerability by ensuring trust verification occurs before processing repository configuration files. Users on standard Claude Code auto-update should have received this fix automatically. Users performing manual updates should update to version 2.0.65 or the latest available version. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Avoid opening untrusted or unfamiliar repositories in Claude Code until the update is applied
- Manually inspect repository configuration files for suspicious ANTHROPIC_BASE_URL settings before opening projects
- Use network monitoring tools to block outbound connections from Claude Code to non-whitelisted domains
# Verify Claude Code version
claude --version
# Update Claude Code to the latest patched version
npm update -g @anthropic/claude-code
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
