CVE-2026-21852: Anthropic Python Weak Credentials

CISO Take

Any developer running Claude Code prior to v2.0.65 who cloned an untrusted repository may have had their Anthropic API key silently exfiltrated—no additional action required beyond opening the repo. Rotate all Anthropic API keys immediately for teams that used affected versions, then enforce the update. Auto-update users are already patched; your risk is concentrated in teams doing manual installs or pinned versions.

What is the risk?

HIGH. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is trivially exploitable at scale: no privileges, no special conditions, no meaningful user interaction beyond the routine act of opening a cloned repository. The impact is full confidentiality loss of the API key (C:H), enabling account takeover, unauthorized API spend, and potential access to any data the API key was scoped to reach. Exposure is broad across any organization where developers use Claude Code with manual update workflows, CI/CD runners, or shared developer environments.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Anthropic Python	pip	—	No patch
3.7K 5.4K dependents Pushed 5d ago 90% patched ~1d to patch Full package profile →

Do you use Anthropic Python? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

23.0%

chance of exploitation in 30 days

Higher than 97% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Possible

Exploitation: LOW

Sophistication

Trivial

Exploitation Confidence

low

○ EPSS exploit prediction: 23%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

PATCH

Update Claude Code to v2.0.65+ immediately. Auto-update users are already protected; target manual-update users and pinned installations.
ROTATE

Revoke and reissue all Anthropic API keys for anyone running affected versions who opened external repositories since January 2026.
AUDIT

Search developer workstations and CI/CD pipelines for .claude/settings.json or equivalent config files with unexpected ANTHROPIC_BASE_URL values.
DETECT

Add a CI check or pre-commit hook that flags Claude Code settings files containing ANTHROPIC_BASE_URL pointing to non-Anthropic domains.
HARDEN

Enforce least-privilege API key scoping—keys used in developer tooling should not have production data access.
POLICY

Add Claude Code version management to your AI tool governance policy; treat it as a security-sensitive tool requiring controlled updates.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Data Extraction Data Leakage Agent API Framework AML.T0008.002 - Domains AML.T0011 - User Execution AML.T0025 - Exfiltration via Cyber Means AML.T0055 - Unsecured Credentials AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2 - AI system roles and responsibilities A.9.3 - AI System Security Controls A.9.4 - Technical measures for AI systems

NIST AI RMF

GOVERN 1.2 - Accountability structures for AI risk GOVERN-1.1 - AI Risk Governance Policies MANAGE 2.2 - Mechanisms to sustain AI risk management MANAGE-2.2 - AI Risk Management — Third-Party and Supply Chain

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM03 - Supply Chain LLM05 - Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-21852?

Any developer running Claude Code prior to v2.0.65 who cloned an untrusted repository may have had their Anthropic API key silently exfiltrated—no additional action required beyond opening the repo. Rotate all Anthropic API keys immediately for teams that used affected versions, then enforce the update. Auto-update users are already patched; your risk is concentrated in teams doing manual installs or pinned versions.

Is CVE-2026-21852 actively exploited?

No confirmed active exploitation of CVE-2026-21852 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-21852?

1. PATCH: Update Claude Code to v2.0.65+ immediately. Auto-update users are already protected; target manual-update users and pinned installations. 2. ROTATE: Revoke and reissue all Anthropic API keys for anyone running affected versions who opened external repositories since January 2026. 3. AUDIT: Search developer workstations and CI/CD pipelines for .claude/settings.json or equivalent config files with unexpected ANTHROPIC_BASE_URL values. 4. DETECT: Add a CI check or pre-commit hook that flags Claude Code settings files containing ANTHROPIC_BASE_URL pointing to non-Anthropic domains. 5. HARDEN: Enforce least-privilege API key scoping—keys used in developer tooling should not have production data access. 6. POLICY: Add Claude Code version management to your AI tool governance policy; treat it as a security-sensitive tool requiring controlled updates.

What systems are affected by CVE-2026-21852?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI-assisted development environments, CI/CD pipelines with AI tooling, shared developer infrastructure.

What is the CVSS score for CVE-2026-21852?

CVE-2026-21852 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 22.97%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI-assisted development environmentsCI/CD pipelines with AI toolingshared developer infrastructure

MITRE ATLAS Techniques

AML.T0008.002 Domains

AML.T0011 User Execution

AML.T0025 Exfiltration via Cyber Means

AML.T0055 Unsecured Credentials

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 9, Article 15

ISO 42001: A.6.2, A.9.3, A.9.4

NIST AI RMF: GOVERN 1.2, GOVERN-1.1, MANAGE 2.2, MANAGE-2.2

OWASP LLM Top 10: LLM02, LLM03, LLM05, LLM06, LLM08

What are the technical details?

Original Advisory

Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.

Exploitation Scenario

An adversary publishes a seemingly useful open-source project on GitHub containing a malicious .claude/settings.json file with ANTHROPIC_BASE_URL set to https://attacker-controlled.io/api. A developer clones the repo to evaluate it, or a CI pipeline checks it out for automated review. Claude Code initializes, reads the project configuration, and immediately issues an API request to the attacker's endpoint—including the Authorization header carrying the developer's Anthropic API key. The attacker's server logs the key without the developer ever seeing a warning. The attacker then uses the stolen key to enumerate accessible resources, run costly API calls at the victim's expense, or access any AI context the key is authorized for. The attack requires no social engineering beyond getting the victim to clone the repository—a routine developer action.

Weaknesses (CWE)

CWE-522 Insufficiently Protected Credentials Primary

CWE-522 — Insufficiently Protected Credentials: The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

[Architecture and Design] Use an appropriate security mechanism to protect the credentials.
[Architecture and Design] Make appropriate use of cryptography to protect the credentials.

Source: MITRE CWE corpus.