CVE-2026-21852

HIGH

7.5

Descricao

Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.

Detalhes CVE

Pontuacao CVSS v3.17.5

SeveridadeHIGH

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado1/21/2026

Ultima modificacao2/2/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

anthropic:claude_code

Fraquezas (CWE)

CWE-522

Referencias

https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7(security-advisories@github.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.