- Check Point found three vulnerabilities in Claude Code AI coding assistant
- The flaws allowed the theft of RCE and API keys
- Issues exploited through malicious repositories; all patched before release
If you’re thinking about deeply integrating AI tools into your workflows, be very careful, as some popular AI models have serious vulnerabilities that can turn a trusted digital assistant into a malicious insider.
Researchers at Check Point (CPR) have detailed three vulnerabilities in Claude Code that can be used to remotely execute malicious code (RCE) or steal sensitive data, such as API credentials, from unsuspecting victims.
Of the three flaws, two have been tagged: CVE-2025-59536 (8.7/10) and CVE-2026-21852 (5.3/10). The third vulnerability that has not yet been assigned a CVE is a code injection vulnerability.
Reevaluation of traditional security assumptions
Claude Code is an advanced AI-powered coding assistant that allows developers to work with AI directly within their coding environment (such as their terminal or IDE). The assistant can do all kinds of things, including executing tasks on entire code bases, all based on natural language instructions.
CPR says that an attacker could create a malicious repository that includes specially crafted project-level configuration files and share it with a developer (for example, via a phishing email or a fake work assignment).
If the developer clones the repository on their local machine and opens the project directory in Claude Code, the tool will automatically load it, allowing the attacker to abuse the built-in mechanisms and trigger hidden shell commands. As a result, user consent requests are overridden and external tools and services are initialized before receiving explicit approval.
Simply put, the attacker can be given remote code execution capabilities or can extract API keys from Anthropic before the user confirms their trust in the project.
“AI-powered coding tools are quickly becoming part of enterprise development workflows. Their productivity benefits are significant, but so is the need to reevaluate traditional security assumptions,” CPR said.
“Configuration files are no longer passive configurations. They can influence execution, networking, and permissions. As AI integration deepens, security controls must evolve to match new trust boundaries.”
Fortunately, CPR says all issues were resolved prior to public disclosure.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
