Claude Code flaws left AI tool wide open to hackers - ITPro

A recent advisory from Check Point Research revealed details of a trio of vulnerabilities that could allow code to be run remotely or allow hackers to steal API keys by taking advantage of automation and other built-in tools. The flaws shouldn't come as a surprise, given how quickly AI coding tools have been introduced to the industry, said Check Point. ... … "These platforms combine the convenience of automated code generation with the risks of executing AI-generated commands and sharing project configurations across collaborative environments." All three bugs have already been fixed after the security firm disclosed them to Anthropic over the course of several months last year. ... In a blog post detailing the flaws, Check Point said Claude Code introduced a new attack vector by trying to make work easier for developers. The tool is designed to embed project-level configuration files directly within repositories, researchers explained, automatically applying them when a dev opens the tool within any given project directory. While this is a convenient feature, researchers noted that in some instances cloning and opening a malicious repository would be enough to trigger hidden commands, slip past safeguards, and expose active API keys. … The second centered on Model Context Protocol (MCP), an industry system for letting AI models work with external tools. With this flaw, designated CVE-2025-59536, Check Point found that repository-controlled configuration settings could override safeguards that require users approval, letting remote code be executed. "When code runs before trust is established, the control model is inverted – shifting authority from the user to repository-defined configuration and expanding the AI-driven attack surface," the researchers said. The third flaw, tracked as CVE-2026-21852, takes advantage of those repository-controlled configuration settings, researchers said. If a hacker meddles with those, it's possible to redirect API traffic to an attacker controlled server before security protections kick in. That could allow attackers to steal a developer's active API key and other credentials.