Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
Description
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Claude Code prior to 2.0.65 allows malicious repositories to leak Anthropic API keys by setting ANTHROPIC_BASE_URL before trust confirmation.
The vulnerability in Claude Code (versions prior to 2.0.65) arises from the project-load flow, where the tool reads configuration files from a repository before the user confirms trust. An attacker can craft a malicious repository containing a settings file that sets the ANTHROPIC_BASE_URL environment variable to an attacker-controlled endpoint. When a user opens this repository in Claude Code, the tool processes the settings and immediately issues API requests to the specified URL, before displaying the trust prompt [1].
To exploit this, an attacker needs to convince a user to open a malicious repository in Claude Code (e.g., via a social engineering attack or by contributing to a project). No additional authentication is required because the API key is already present in the user's environment. The attacker's endpoint receives the API key in the request headers or body, allowing the attacker to capture it [3].
The impact is severe: an attacker who obtains the user's Anthropic API key can use it to make unauthorized API calls, potentially exhausting quotas, accessing private data, or incurring charges. The key could also be used to impersonate the user in other contexts if Anthropic services use the same key for authentication [1][3].
Anthropic has patched this vulnerability in Claude Code version 2.0.65. Users on standard auto-update have already received the fix. Those performing manual updates should upgrade to version 2.0.65 or later. No workarounds are available for unpatched versions; users are advised to avoid opening untrusted repositories in Claude Code until updated [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@anthropic-ai/claude-codenpm | < 2.0.65 | 2.0.65 |
Affected products
1- Range: <2.0.65
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-jh7p-qr78-84p7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21852ghsaADVISORY
- github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7ghsax_refsource_CONFIRMWEB
News mentions
1- 'TrustFall' Convention Exposes Claude Code Execution RiskDark Reading · May 7, 2026