CVE-2026-21852: Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed
Summary
Claude Code (an agentic coding tool, meaning an AI that can write and modify code) had a vulnerability before version 2.0.65 where malicious code repositories could steal users' API keys (secret authentication tokens). An attacker could hide a settings file in a repository that redirects API requests to their own server, and Claude Code would send the user's API key there before showing a trust confirmation prompt.
Solution / Mitigation
Update Claude Code to version 2.0.65 or later. The source states: 'Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.'
Vulnerability Details
7.5(high)
EPSS: 0.0%
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-21852
First tracked: February 15, 2026 at 08:50 PM
Classified by LLM (prompt v3) · confidence: 95%