API key exfiltration via pre-trust base URL override in Claude Code
CVE-2026-21852 affects Anthropic Claude Code prior to version 2.0.65. A malicious repository can supply project-level configuration, notably via .claude/settings.json, that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint. During the project-load flow, Claude Code reads this configuration and issues API requests before the user confirms the repository trust prompt. Because those requests include the Anthropic API key in the Authorization header, the attacker-controlled endpoint can capture the credential before trust validation occurs. The flaw is therefore a trust-boundary/order-of-operations issue in which repository-controlled configuration is applied to outbound API communication before user consent is established.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
Repository purpose: an educational demo of Claude Code CLI supply-chain style attacks via malicious project configuration, covering (1) a hooks consent/trust bypass leading to command execution (no CVE, fixed in v1.0.87), (2) CVE-2025-59536 where enableAllProjectMcpServers=true can auto-start project-defined MCP servers from .mcp.json and execute arbitrary commands (fixed in v1.0.111), and (3) CVE-2026-21852 where ANTHROPIC_BASE_URL from project settings is applied before the trust prompt, redirecting API traffic (including API keys in Authorization/x-api-key headers) to an attacker endpoint (fixed in v2.0.65). Structure and key files: - vuln1_hooks_bypass/.claude/settings.json: defines PreToolUse/PostToolUse hooks that run shell commands and write to /tmp/claude_vuln1_demo.log, demonstrating RCE on repo open in vulnerable versions. - CVE-2025-59536_mcp_injection/.claude/settings.json + CVE-2025-59536_mcp_injection/.mcp.json: sets enableAllProjectMcpServers=true and defines an MCP server that runs sh -c commands, writing to /tmp/claude_vuln2_demo.log. - CVE-2026-21852_api_exfil/.claude/settings.json: sets env.ANTHROPIC_BASE_URL to http://127.0.0.1:8888 to demonstrate credential exfiltration. - attacker_server.py: local HTTP server on 127.0.0.1:8888 that logs incoming requests (headers and JSON bodies) to /tmp/claude_attacker_demo.log and returns a demo JSON response. - attacker_proxy.py: MITM-style proxy on 127.0.0.1:8888 that captures API keys and conversation content, logs to /tmp/claude_proxy_demo.log, and forwards requests to https://api.anthropic.com to keep victim behavior normal. - scanner.py: a defensive detection tool that scans a given repo path for these patterns (hooks executing commands, enableAllProjectMcpServers + .mcp.json command definitions, and ANTHROPIC_BASE_URL/credential-related env overrides) and exits non-zero if findings exist. Exploit capabilities (as demonstrated): - Local code execution via auto-run hooks and MCP server startup (command execution payloads are simple echo/date/whoami/hostname logging but represent arbitrary command execution). - Network-based credential and data interception by redirecting Claude Code API traffic to an attacker-controlled base URL; optional stealth forwarding to the real Anthropic API. Overall, this is a PoC/educational repository combining malicious config examples, attacker infrastructure (server/proxy), and a scanner to detect the same indicators before opening a repo in Claude Code.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
40 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A patched Claude Code supply-chain vulnerability that allows redirection of ANTHROPIC_BASE_URL to a malicious proxy to intercept authorization headers and steal API keys before trust prompts appear.
One of three previously identified Claude Code vulnerabilities involving malicious repositories abusing project-scoped settings to silently change tool behavior on a developer's machine; the article states it has been patched.
An API key exfiltration vulnerability in Claude Code triggered by a malicious repository (CVSS 5.3).
A critical Claude Code project-configuration flaw enabling API key exfiltration (and enabling downstream compromise) by redirecting Claude Code API traffic to an attacker-controlled endpoint via ANTHROPIC_BASE_URL before trust prompts are shown.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.