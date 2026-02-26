Check Point found three vulnerabilities in Claude Code AI coding assistant

Flaws enabled RCE and API key theft

Issues exploited via malicious repositories; all patched before disclosure

If you’re looking at deeply integrating AI tools into your workflows, be extra careful, as some popular AI models come with severe vulnerabilities which can turn a trusted digital assistant into a malicious insider.

Researchers from Check Point (CPR) have detailed three vulnerabilities in Claude Code which can be used to remotely execute malicious code (RCE), or steal sensitive data such as API credentials, from unsuspecting victims.

Of the three flaws, two have been labeled: CVE-2025-59536 (8.7/10), and CVE-2026-21852 (5.3/10). The third one that hasn’t been assigned a CVE yet, is a code injection vulnerability.

Reassessing traditional security assumptions

Claude Code is an advanced AI‑powered coding assistant that lets developers work with AI directly inside their coding environment (like their terminal or IDE). The assistant can do all sorts of things, including executing tasks across entire codebases, all based on natural language instructions.

CPR says an attacker could create a malicious repository that includes specially crafted project-level configuration files, and share it with a developer (for example, via a phishing email, or a fake job assignment).

If the developer clones the repository to their local machine, and opens the project directory in Claude Code, the tool will automatically load it, allowing the attacker to abuse built-in mechanisms and trigger hidden shell commands. As a result, user consent prompts are overridden, and external tools and services initialized before being given explicit approval.

Simply put, the attacker can be given remote code execution capabilities or can exfiltrate Anthropic API keys before the user confirms trust in the project.

“AI-powered coding tools are rapidly becoming part of enterprise development workflows. Their productivity benefits are significant, but so is the need to reassess traditional security assumptions,” CPR said.

“Configuration files are no longer passive settings. They can influence execution, networking, and permissions. As AI integration deepens, security controls must evolve to match the new trust boundaries.”

Fortunately, CPR says all issues were resolved prior to public disclosure.

