CVE-2026-21852 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any developer running Claude Code prior to v2.0.65 who cloned an untrusted repository may have had their Anthropic API key silently exfiltrated—no additional action required beyond opening the repo. Rotate all Anthropic API keys immediately for teams that used affected versions, then enforce the update. Auto-update users are already patched; your risk is concentrated in teams doing manual installs or pinned versions.

Risk Assessment

HIGH. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is trivially exploitable at scale: no privileges, no special conditions, no meaningful user interaction beyond the routine act of opening a cloned repository. The impact is full confidentiality loss of the API key (C:H), enabling account takeover, unauthorized API spend, and potential access to any data the API key was scoped to reach. Exposure is broad across any organization where developers use Claude Code with manual update workflows, CI/CD runners, or shared developer environments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
claude_code	pip	—	No patch
3.4K 4.7K dependents Pushed 8d ago 67% patched ~1d to patch Full package profile →

Do you use claude_code? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 10% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

PATCH

Update Claude Code to v2.0.65+ immediately. Auto-update users are already protected; target manual-update users and pinned installations.
ROTATE

Revoke and reissue all Anthropic API keys for anyone running affected versions who opened external repositories since January 2026.
AUDIT

Search developer workstations and CI/CD pipelines for .claude/settings.json or equivalent config files with unexpected ANTHROPIC_BASE_URL values.
DETECT

Add a CI check or pre-commit hook that flags Claude Code settings files containing ANTHROPIC_BASE_URL pointing to non-Anthropic domains.
HARDEN

Enforce least-privilege API key scoping—keys used in developer tooling should not have production data access.
POLICY

Add Claude Code version management to your AI tool governance policy; treat it as a security-sensitive tool requiring controlled updates.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Data Extraction Data Leakage Agent API Framework AML.T0008.002 - Domains AML.T0011 - User Execution AML.T0025 - Exfiltration via Cyber Means AML.T0055 - Unsecured Credentials AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2 - AI system roles and responsibilities A.9.3 - AI System Security Controls A.9.4 - Technical measures for AI systems

NIST AI RMF

GOVERN 1.2 - Accountability structures for AI risk GOVERN-1.1 - AI Risk Governance Policies MANAGE 2.2 - Mechanisms to sustain AI risk management MANAGE-2.2 - AI Risk Management — Third-Party and Supply Chain

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM03 - Supply Chain LLM05 - Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-21852?

Any developer running Claude Code prior to v2.0.65 who cloned an untrusted repository may have had their Anthropic API key silently exfiltrated—no additional action required beyond opening the repo. Rotate all Anthropic API keys immediately for teams that used affected versions, then enforce the update. Auto-update users are already patched; your risk is concentrated in teams doing manual installs or pinned versions.

Is CVE-2026-21852 actively exploited?

No confirmed active exploitation of CVE-2026-21852 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-21852?

1. PATCH: Update Claude Code to v2.0.65+ immediately. Auto-update users are already protected; target manual-update users and pinned installations. 2. ROTATE: Revoke and reissue all Anthropic API keys for anyone running affected versions who opened external repositories since January 2026. 3. AUDIT: Search developer workstations and CI/CD pipelines for .claude/settings.json or equivalent config files with unexpected ANTHROPIC_BASE_URL values. 4. DETECT: Add a CI check or pre-commit hook that flags Claude Code settings files containing ANTHROPIC_BASE_URL pointing to non-Anthropic domains. 5. HARDEN: Enforce least-privilege API key scoping—keys used in developer tooling should not have production data access. 6. POLICY: Add Claude Code version management to your AI tool governance policy; treat it as a security-sensitive tool requiring controlled updates.

What systems are affected by CVE-2026-21852?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI-assisted development environments, CI/CD pipelines with AI tooling, shared developer infrastructure.

What is the CVSS score for CVE-2026-21852?

CVE-2026-21852 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.

Exploitation Scenario

An adversary publishes a seemingly useful open-source project on GitHub containing a malicious .claude/settings.json file with ANTHROPIC_BASE_URL set to https://attacker-controlled.io/api. A developer clones the repo to evaluate it, or a CI pipeline checks it out for automated review. Claude Code initializes, reads the project configuration, and immediately issues an API request to the attacker's endpoint—including the Authorization header carrying the developer's Anthropic API key. The attacker's server logs the key without the developer ever seeing a warning. The attacker then uses the stolen key to enumerate accessible resources, run costly API calls at the victim's expense, or access any AI context the key is authorized for. The attack requires no social engineering beyond getting the victim to clone the repository—a routine developer action.