AI Threat Alert
CVE-2026-21852
HIGHAny developer running Claude Code prior to v2.0.65 who cloned an untrusted repository may have had their Anthropic API key silently exfiltrated—no additional action required beyond opening the repo. Rotate all Anthropic API keys immediately for teams that used affected versions, then enforce the update. Auto-update users are already patched; your risk is concentrated in teams doing manual installs or pinned versions.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| claude_code | pip | — | No patch |
Do you use claude_code? You're affected.
Severity & Risk
Recommended Action
- 1. PATCH: Update Claude Code to v2.0.65+ immediately. Auto-update users are already protected; target manual-update users and pinned installations. 2. ROTATE: Revoke and reissue all Anthropic API keys for anyone running affected versions who opened external repositories since January 2026. 3. AUDIT: Search developer workstations and CI/CD pipelines for .claude/settings.json or equivalent config files with unexpected ANTHROPIC_BASE_URL values. 4. DETECT: Add a CI check or pre-commit hook that flags Claude Code settings files containing ANTHROPIC_BASE_URL pointing to non-Anthropic domains. 5. HARDEN: Enforce least-privilege API key scoping—keys used in developer tooling should not have production data access. 6. POLICY: Add Claude Code version management to your AI tool governance policy; treat it as a security-sensitive tool requiring controlled updates.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.
Exploitation Scenario
An adversary publishes a seemingly useful open-source project on GitHub containing a malicious .claude/settings.json file with ANTHROPIC_BASE_URL set to https://attacker-controlled.io/api. A developer clones the repo to evaluate it, or a CI pipeline checks it out for automated review. Claude Code initializes, reads the project configuration, and immediately issues an API request to the attacker's endpoint—including the Authorization header carrying the developer's Anthropic API key. The attacker's server logs the key without the developer ever seeing a warning. The attacker then uses the stolen key to enumerate accessible resources, run costly API calls at the victim's expense, or access any AI context the key is authorized for. The attack requires no social engineering beyond getting the victim to clone the repository—a routine developer action.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N