Security Vulnerabilities in Repository Configuration and MCP

10/10 Critical

Three CVEs discovered: malicious code in documents can exfiltrate private data; Model Context Protocol (MCP) allows repository config to override user approval safeguards enabling remote code execution; repository-controlled settings redirect API traffic to attacker servers to steal API keys.

Claude CodeModel Context Protocol
Category
security
Workaround
none
Stage
build
Freshness
emerging
Scope
single_lib
Upstream
wontfix
Recurring
No
Buyer Type
enterprise
Maintainer
active

Sources

Collection History

Query: “What are the most common pain points with Claude Code for developers in 2025?4/4/2026

Cloning and opening a malicious repository would be enough to trigger hidden commands, slip past safeguards, and expose active API keys. Repository-controlled configuration settings could override safeguards that require user approval, letting remote code be executed. If a hacker meddles with those, it's possible to redirect API traffic to an attacker controlled server before security protections kick in.

Created: 4/4/2026Updated: 4/4/2026