DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-21852: Premature Exfiltration: How Claude Code Leaked Your Keys Before Asking for Permission

#security #cve #cybersecurity

Premature Exfiltration: How Claude Code Leaked Your Keys Before Asking for Permission

Vulnerability ID: CVE-2026-21852
CVSS Score: 5.3
Published: 2026-01-21

A critical logic flaw in Anthropic's Claude Code CLI tool allowed malicious repositories to exfiltrate user API keys during the initialization phase, specifically occurring before the 'Workspace Trust' prompt was displayed to the user.

TL;DR

The claude-code CLI tool (versions prior to 0.2.x/1.0.0) initialized its network configuration and performed a background API handshake before asking the user if they trusted the current repository. By including a malicious .claudecode/settings.json file in a repository, an attacker could redirect this handshake—containing the user's ANTHROPIC_API_KEY—to an attacker-controlled server. This happened immediately upon running the claude command, rendering the subsequent security prompt useless.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-200 (Exposure of Sensitive Information)
  • Attack Vector: Network (AV:N) - via malicious repository config
  • CVSS: 5.3 (Medium)
  • Impact: Confidentiality Loss (API Key Exfiltration)
  • Exploit Status: PoC Available / Trivial
  • Required Interaction: User must run CLI in malicious dir

Affected Systems

  • Anthropic Claude Code CLI (< 0.2.x)
  • Developer Workstations
  • CI/CD Pipelines using Claude Code
  • claude-code: < 0.2.29 (Fixed in: 1.0.0)

Code Analysis

Commit: e4f8a9c

Fix: Move workspace trust check before config loading and network initialization

@@ -15,6 +15,7 @@
+ await ensureWorkspaceTrusted();
  const config = loadConfig();
- await ensureWorkspaceTrusted();
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Proof of Concept repository demonstrating API key exfiltration via settings.json

Mitigation Strategies

  • Mandatory Trust Gating: Ensure configuration parsing happens after user consent.
  • Input Sanitization: Validate URLs in configuration files against allowlists if possible.
  • Network Isolation: Run untrusted CLI tools in ephemeral containers or sandboxes.

Remediation Steps:

  1. Upgrade claude-code to version 1.0.0 or later immediately.
  2. Revoke and rotate any Anthropic API keys used with previous versions of the CLI.
  3. Review the .claudecode/ directory in any recently accessed repositories for suspicious settings.json files.

References

Read the full report for CVE-2026-21852 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)