Description
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.
Published: 2026-01-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via API Key Leaks
Action: Immediate Update
AI Analysis

Impact

Claude Code’s project‑load flow before version 2.0.65 allowed an attacker‑controlled repository to include a settings file that overrides the ANTHROPIC_BASE_URL parameter, causing the tool to issue API requests immediately upon opening the repository, before the user could review or confirm the trust prompt. This flaw enabled the exfiltration of the user’s Anthropic API keys to an attacker‑controlled endpoint, compromising sensitive credentials without the user’s knowledge.

Affected Systems

The vulnerability affects Anthropic’s Claude Code agentic coding tool on all versions released prior to 2.0.65. Users who rely on the standard auto‑update mechanism have received the patch automatically, while those performing manual updates should check their current version and install the latest update.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity of information disclosure. The EPSS score of less than 1% suggests that exploit attempts are expected to be rare, and the vulnerability is not cataloged in the CISA KEV list. Exploitation requires an attacker to craft a malicious repository and entice a legitimate user to open it in Claude Code, meaning user interaction is necessary for the attack to succeed.

Generated by OpenCVE AI on April 18, 2026 at 15:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest Claude Code update, version 2.0.65 or later, which contains the fix for the project-load configuration flaw.
  • If your environment does not use automatic updates, enable or schedule regular manual checks for new releases to ensure timely patch deployment.
  • Restrict the use of new or untrusted code repositories in Claude Code until the repository content has been verified or inspected by a trusted source.

Generated by OpenCVE AI on April 18, 2026 at 15:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jh7p-qr78-84p7 Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
History

Mon, 02 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Code
CPEs cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*
Vendors & Products Anthropic
Anthropic claude Code
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics claude Code
Vendors & Products Anthropics
Anthropics claude Code

Wed, 21 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
Description Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.
Title Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
Weaknesses CWE-522
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Code
Anthropics Claude Code
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-21T21:34:43.858Z

Reserved: 2026-01-05T16:44:16.366Z

Link: CVE-2026-21852

cve-icon Vulnrichment

Updated: 2026-01-21T21:34:31.132Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T21:16:08.693

Modified: 2026-02-02T15:04:41.717

Link: CVE-2026-21852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses