Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
Claude Code had a security flaw where it would read settings from a file (`.claude/settings.json`) that could be controlled by someone creating a malicious repository, allowing them to bypass the workspace trust dialog (a security prompt that asks for permission before running code). This meant an attacker could trick users into running code without their knowledge or consent. The vulnerability has been patched.
Fix: Users on standard Claude Code auto-update have already received the fix. Users performing manual updates are advised to update to the latest version.
GitHub Advisory DatabaseCVE-2025-15060 is a remote code execution vulnerability in claude-hovercraft that allows attackers to run arbitrary code without needing to log in. The flaw exists in the executeClaudeCode method, which fails to properly validate user input before using it in a system call (a request to run operating system commands), allowing attackers to inject malicious commands.
Cloud CLI (a user interface for Claude Code and similar tools) had a critical vulnerability in versions before 1.25.0 where user inputs called projectPath, initialCommand, and sessionId were directly used to build system commands without filtering, allowing attackers to inject arbitrary OS commands (OS command injection, where an attacker tricks the system into running unauthorized commands) through WebSocket connections. This vulnerability has been patched in version 1.25.0.
Cloud CLI (a user interface for AI coding tools like Claude Code and Gemini-CLI) had a vulnerability before version 1.24.0 where attackers who had login access could run unauthorized commands on a computer by manipulating text inputs in Git-related features. This happened because the software used string interpolation (directly inserting user text into commands) without properly checking if the input was safe, which is a type of OS command injection (CWE-78, where an attacker tricks the system into executing arbitrary commands).
Cloud CLI (a user interface for accessing Claude Code and similar tools) has a vulnerability in versions before 1.24.0 where user input in the git configuration endpoint is not properly sanitized before being executed as shell commands. This means an authenticated attacker (someone with login access) could run arbitrary OS commands (commands that do whatever they want on the operating system) by exploiting how backticks, command substitution (${}), and backslashes are interpreted within the double-quoted strings.
The Greenshift plugin for WordPress (used to create animations and page builder blocks) has a vulnerability where automated backup files are stored in a publicly accessible location, allowing attackers to read sensitive API keys (for OpenAI, Claude, Google Maps, Gemini, DeepSeek, and Cloudflare Turnstile) without needing to log in. This affects all versions up to 12.8.3.
The OpenClaw macOS beta onboarding flow had a security flaw where it exposed a PKCE code_verifier (a secret token used in OAuth, a system for secure login) by putting it in the OAuth state parameter, which could be seen in URLs. This vulnerability only affected the macOS beta app's login process, not other parts of the software.
Anthropic's Claude service experienced a widespread outage on Monday morning, affecting Claude.ai and Claude Code (though the Claude API remained functional), with most users encountering errors during login. The company identified the issue was related to login and logout systems and stated it was implementing a fix, though no root cause or technical details were disclosed.
OpenClaw, a personal AI assistant, had a security flaw in versions 2026.2.13 and below on macOS where OAuth tokens (authentication credentials that prove you're logged in) could be used to inject malicious OS commands (commands that run at the operating system level) into the credential refresh process. An attacker could exploit this by crafting a specially designed token to execute arbitrary commands on the affected system.
The Claude CLI tool on macOS had a shell injection vulnerability (a security flaw where attackers can run arbitrary commands) in how it stored authentication tokens in the system keychain. The problem occurred because user-controlled OAuth tokens were directly inserted into shell commands without proper protection, allowing an attacker to break out of the intended command and execute malicious code.
sf-mcp-server, a tool that connects Salesforce to Claude for Desktop, has a command injection vulnerability (CWE-78, a flaw where attackers inject malicious commands into user input). The vulnerability exists because the software unsafely uses child_process.exec (a function that runs shell commands) with user-controlled input, allowing attackers to execute arbitrary shell commands with the server's privileges.
Claude Code, a tool that uses AI to help write software, had a security flaw in versions before 2.1.2 where its bubblewrap sandboxing mechanism (a security container that isolates code) failed to protect a settings file called .claude/settings.json if it didn't already exist. This allowed malicious code running inside the sandbox to create this file and add persistent hooks (startup commands that execute automatically), which would then run with elevated host privileges when Claude Code restarted.
Claude Code (an AI tool that can write and modify software) before version 2.1.7 had a security flaw where it could bypass file access restrictions through symbolic links (shortcuts that point to other files). If a user blocked Claude Code from reading a sensitive file like /etc/passwd, the tool could still read it by accessing a symbolic link pointing to that file, bypassing the security controls.
Claude Code (an AI tool that can write and run code automatically) had a security flaw before version 2.0.55 where it didn't properly check certain commands, allowing attackers to write files to protected folders they shouldn't be able to access, as long as they could get Claude Code to run commands with the "accept edits" feature turned on.
Claude Code, an agentic coding tool (AI software that can write and execute code), had a security flaw in versions before 2.0.57 where it failed to properly check directory changes. An attacker could use the cd command (change directory, which moves to a different folder) to navigate into protected folders like .claude and bypass write protections, allowing them to create or modify files without the user's approval, especially if they could inject malicious instructions into the tool's context window (the information the AI reads before responding).
Claude Code is an agentic coding tool (software that can automatically write and execute code) that had a vulnerability in versions before 2.0.72 where attackers could bypass safety confirmation prompts and execute untrusted commands through the find command by injecting malicious content into the tool's context window (the input area where the AI reads information). The vulnerability has a CVSS score (a 0-10 severity rating) of 7.7, meaning it is considered high severity.
Claude Code, an agentic coding tool (AI software that writes and manages code), had a vulnerability in versions before 2.0.74 where a flaw in how it validated Bash commands (a Unix shell language) allowed attackers to bypass directory restrictions and write files outside the intended folder without permission from the user. The attack required the user to be running ZSH (a different Unix shell) and to allow untrusted content into Claude Code's input.
Claude Code, a tool that helps AI write and execute code automatically, had a security flaw before version 1.0.111 where it didn't properly check website addresses (URLs) before making requests to them. The app used a simple startsWith() check (looking only at the beginning of a domain name), which meant attackers could register fake domains like modelcontextprotocol.io.example.com that would be mistakenly trusted, allowing the tool to send data to attacker-controlled sites without the user knowing.
MCP Manager for Claude Desktop has a vulnerability where attackers can inject malicious commands into MCP config objects (configuration files that tell Claude how to use external tools) that aren't properly checked before being run as system commands. By tricking a user into visiting a malicious website or opening a malicious file, an attacker can break out of the sandbox (the restricted environment that limits what Claude can access) and run arbitrary code (any commands they want) on the computer.
Fix: Update Cloud CLI to version 1.25.0 or later, which fixes the OS command injection vulnerability.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.24.0. Users should update Cloud CLI to 1.24.0 or later.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.24.0. Users should update Cloud CLI to version 1.24.0 or later.
NVD/CVE DatabaseFix: OpenClaw removed Anthropic OAuth sign-in from macOS onboarding and replaced it with setup-token-only authentication. The fix is available in patched version 2026.2.25.
GitHub Advisory DatabaseAnthropic accused three Chinese AI companies (DeepSeek, Moonshot AI, and MiniMax) of using distillation (a technique where one AI model learns from another by analyzing its outputs) to illegally extract capabilities from Claude by creating over 24,000 fake accounts and generating millions of interactions. This theft targeted Claude's most advanced features like reasoning, tool use, and coding, and raises security concerns because stolen models may lack safeguards against misuse like bioweapon development.
Fix: Anthropic stated it will 'continue to invest in defenses that make distillation attacks harder to execute and easier to identify,' and is calling on 'a coordinated response across the AI industry, cloud providers, and policymakers.' The company also argues that export controls on advanced AI chips to China would limit both direct model training and the scale of such distillation attacks.
TechCrunchFix: Update to version 2026.2.14 or later. According to the source, 'This issue has been fixed in version 2026.2.14.'
NVD/CVE DatabaseFix: Update to version 2026.2.14 or later. The fix avoids invoking a shell by using `execFileSync("security", argv)` and passing the updated keychain payload as a literal argument instead of constructing a shell command string.
GitHub Advisory DatabaseFix: This issue has been patched in version 2.1.2.
NVD/CVE DatabaseFix: Update Claude Code to version 2.1.7 or later. According to the source: 'This issue has been patched in version 2.1.7.'
NVD/CVE DatabaseFix: This issue has been patched in version 2.0.55.
NVD/CVE DatabaseFix: This issue has been patched in version 2.0.57.
NVD/CVE DatabaseFix: This issue has been patched in version 2.0.72.
NVD/CVE DatabaseFix: This issue has been patched in version 2.0.74. Users should update Claude Code to version 2.0.74 or later.
NVD/CVE DatabaseFix: Update Claude Code to version 1.0.111 or later, as the issue has been patched in that version.
NVD/CVE Database