Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration
Summary
Researchers discovered three security vulnerabilities in Anthropic's Claude Code (an AI-powered coding assistant) that could allow attackers to run arbitrary commands on a developer's computer and steal API keys (authentication credentials) simply by tricking users into opening malicious project folders. The vulnerabilities exploited configuration files and automation systems to bypass safety prompts and execute malicious code without user consent.
Solution / Mitigation
All three vulnerabilities have been fixed in specific Claude Code versions: the first vulnerability was fixed in version 1.0.87 (September 2025), CVE-2025-59536 was fixed in version 1.0.111 (October 2025), and CVE-2026-21852 was fixed in version 2.0.65 (January 2026). Users should update to these versions or later.
Classification
Affected Vendors
Related Issues
Original source: https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html
First tracked: February 25, 2026 at 03:00 PM
Classified by LLM (prompt v3) · confidence: 95%