AI Threat Alert
Claude AI Security Vulnerabilities
Every known CVE affecting Anthropic Claude in the AI Threat Alert database. Covers Claude Code (the CLI), Claude Desktop, the public API, and tools in the Claude ecosystem.
Claude AI security: what the attack surface looks like
Anthropic's Claude is exposed through several product surfaces, each with a different threat profile. The public API and Claude.ai web app are managed by Anthropic and have a fairly narrow attack surface. The riskier components are Claude Code (the CLI agent that runs on developer machines and executes shell commands) and Claude Desktop (the local app that talks to MCP servers).
Most Claude-related CVEs we track fall into three classes: (1) MCP server integrations where untrusted prompts trigger tool invocations with attacker-controlled arguments; (2) prompt-injection chains that pivot through Claude Code's shell access; (3) credential handling in CLIs and IDE extensions that talk to the Claude API.
All tracked Claude CVEs
| CVE | Severity | Headline / Summary | Published |
|---|---|---|---|
| CVE-2026-21852 | HIGH | claude_code: Weak Credentials allow account compromise | Jan 21, 2026 |
| GHSA-gpx9-96j6-pp87 | MEDIUM | agentos-taskweaver: Protection Bypass circumvents security controls | Jan 28, 2026 |
| CVE-2026-28786 | MEDIUM | Open WebUI: path traversal leaks server filesystem path | Mar 27, 2026 |
| CVE-2026-22561 | HIGH | Claude Setup: DLL search-order hijacking LPE | Mar 31, 2026 |
| CVE-2026-34451 | MEDIUM | anthropic-ai/sdk: memory tool path traversal escape | Mar 31, 2026 |
| CVE-2026-34450 | MEDIUM | anthropic-sdk: insecure file perms expose agent memory | Mar 31, 2026 |
| CVE-2026-34452 | MEDIUM | Anthropic SDK: TOCTOU symlink escape in async memory tool | Mar 31, 2026 |
| CVE-2026-35021 | HIGH | Claude Code CLI: shell injection enables RCE | Apr 6, 2026 |
| CVE-2026-35020 | HIGH | Claude Code CLI: OS command injection via TERMINAL env | Apr 6, 2026 |
| CVE-2026-35022 | CRITICAL | Claude Code: OS command injection, credential theft | Apr 6, 2026 |
| CVE-2026-39398 | MEDIUM | openclaw-claude-bridge: sandbox bypass exposes CLI tools | Apr 8, 2026 |
| CVE-2026-35603 | MEDIUM | Claude Code: config hijack via unprotected ProgramData dir | Apr 17, 2026 |
| CVE-2026-39861 | HIGH | Claude Code: sandbox escape via symlink allows arbitrary write | Apr 21, 2026 |
| CVE-2026-40068 | HIGH | Claude Code: git worktree trust bypass executes hooks | Apr 24, 2026 |
| CVE-2026-41686 | AWAITING NVD | @anthropic-ai/sdk: insecure file perms expose agent memory | Apr 29, 2026 |
| CVE-2026-44220 | LOW | ciguard: symlink traversal exposes secrets via MCP agent | May 5, 2026 |
| CVE-2026-44336 | CRITICAL | PraisonAI: MCP path traversal escalates to full RCE | May 11, 2026 |