CVE-2026-21852

EPSS 0.03%

Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation

Published: 1/21/2026Modified: 2/3/2026

Description

A vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPIC_BASE_URL to an attacker-controlled endpoint, Claude Code would issue API requests before showing the trust prompt, including potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.

Affected packages (1)

npm/@anthropic-ai/claude-codefrom 0, < 2.0.65

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-21852
PATCHhttps://github.com/anthropics/claude-code
WEBhttps://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7