Research Uncovers Critical Vulnerabilities in Claude Code

Internal mechanisms designed to streamline collaboration could trigger unauthorized actions.

Feb 26, 2026
Coding

New research from Check Point has uncovered critical vulnerabilities in Claude Code (CVE-2025-59536) that highlight a broader shift in the threat model of enterprise AI tools. The full report can be accessed here.

The findings demonstrate that a routine action, such as opening a project, could have served as an entry point into a development environment. The research reveals that internal mechanisms designed to streamline collaboration could, under certain conditions, be abused to trigger unauthorized actions when a repository is opened. 

In specific scenarios, simply cloning and launching a malicious repository could allow background processes to execute and attempt to leverage existing development environment permissions. Additional findings from the report include:

  • Silent Command Execution. Claude Code includes automation capabilities that execute predefined actions when a session begins. This means that simply opening a malicious repository could trigger hidden execution on a developer’s machine without any additional interaction beyond launching the project.
  • User Consent Bypass  (CVE-2025-59536). Claude Code integrates with external tools via the MCP, enabling additional services to be initialized when a project is opened. Researchers found that repository-controlled configuration settings could override these safeguards. When code runs before trust is established, the control model is inverted - shifting authority from the user to repository-defined configuration and expanding the AI-driven attack surface.
  • API Key Theft Before Trust Confirmation. The most concerning finding involved credential exposure. Claude Code communicates with Anthropic’s services using an API key. Researchers demonstrated that API traffic, including the full authorisation header, could be redirected to an attacker-controlled server before the user confirmed trust in the project directory.

Several industry stakeholders recently weighed in with their thoughts.

Andrew Bolster, Senior R&D Manager at Black Duck

"As tools like Claude Code, OpenAI Codex and Google Gemini CLI make their way deeper into the software development lifecycle, the risks of these kinds of autonomous attacks will continue to increase. Previously, security leaders ‘only' had to approve the addition and configuration of SDLC tools ‘one at a time’, but these agentic tools now have almost constantly changing and evolving behavior and can be tricked into these malicious behaviors by external ‘injections’ received at runtime.  

"Application security owners must pay careful attention to how they adopt these capabilities in their development environments and include such risks in their security posture reviews. "

Diana Kelley, CISO at Noma Security

"What stands out in the Check Point research is the pattern it represents. AI-enabled developer tools are no longer passive assistants. In this case, repository-controlled configuration could result in code being executed when a project is opened, before the user’s trust decision was properly enforced. That turns a routine workflow step into a potential execution event inside a developer’s environment.

"Before deploying or approving AI-enabled developer tools, security teams should review how trust prompts are implemented, test what happens when an untrusted repository is opened, and verify that no code runs and no sensitive actions are possible until trust is explicitly established."

Ram Varadarajan, CEO at Acalvio

"It's an inescapable reality: the more AI development proceeds at breakneck speeds, the more vulnerabilities we expose at the same pace.  These findings should surprise no one, and we should anticipate ever more of them going forward.   

"Frankly, at this point, our sole defense is to assume a zero-trust landscape and use AI-driven tripwires and game theory to detect and defuse that constant stream of AI-driven attackers. There's no other way to preemptively defend our systems; it's our bot-on-bot future."

David Brumley, Chief AI and Science Officer at Bugcrowd

"Developers in this age have so much access, and move so fast - that their workflow, tooling, and environments are receiving a lot of attention. What I’m most excited about is the attention and focus that Claude Code is getting, they’re changing how software is written, and they welcome the feedback.

"Anthropic will continue to be an exemplar of how to receive research submissions, validate, and fix them - their work is a rising tide that lifts all boats."

Read Next
Industrial Cyber
Cybersecurity
OPSWAT, Emerson Partner on Cybersecurity for Critical Infrastructure
June 4, 2026
Latest in Cybersecurity
The Today in Manufacturing Podcast from Manufacturing.net
Sponsored
The Today in Manufacturing Podcast from Manufacturing.net
March 31, 2026
Robot Human Hand Connection 000075665883 Small
The Impact of AI on the Identity Attack Surface
June 4, 2026
Industrial Hack Andrey Popov
Your RAID Backup Isn’t Really Backup
June 4, 2026
Phishing Tadamichi
A Simple Tool to Combat Phishing Schemes
June 4, 2026
Related Stories
Ransomware
Cybersecurity
How You Should Approach a Ransomware Attack
Utility Metamorworks
Cybersecurity
A New Kind of Threat—and a New Way to Defuse It
Malware Sashkinw
Cybersecurity
CISA Updates BRICKSTORM Malware Report
The Security Breach Podcast
Sponsor Content
The Security Breach Podcast
More in Cybersecurity
The Today in Manufacturing Podcast from Manufacturing.net
Sponsored
The Today in Manufacturing Podcast from Manufacturing.net
Each week, our editors discuss the five biggest stories in manufacturing and their implications for the industry. 
March 31, 2026
Robot Human Hand Connection 000075665883 Small
Cybersecurity
The Impact of AI on the Identity Attack Surface
Companies are giving AI agents the keys to critical systems faster than safeguards can be established.
June 4, 2026
Industrial Hack Andrey Popov
Cybersecurity
Your RAID Backup Isn’t Really Backup
Avoid finding out the hard way.
June 4, 2026
Cybersecurity
Brooke Watson
Macrium
June 4, 2026
Phishing Tadamichi
Cybersecurity
A Simple Tool to Combat Phishing Schemes
Consistent email signatures can help support human-centric security and foster a cybersecurity culture.
June 4, 2026
Cybersecurity
Yuval Yelin
CISO at WiseStamp
June 4, 2026
Ai Cybersecurity Ismagilov
Cybersecurity
Trump's AI Order Generates Support, Raises More Questions
'Adversaries are operating at machine speed and the Government is operating at bureaucracy speed.'
June 4, 2026
Patching Istock Pashalgnatov
Cybersecurity
Verizon Report Fuels Feedback on AI, Patching, Vulnerability Management
'The reflex after a report like this is to procure more AI. The data argues against it.'
June 4, 2026
Hacktivist Peshkov
Cybersecurity
CISA, Partners Release Fact Sheet on Securing Automatic Tank Gauge Systems
Threat activity involves bad actors manipulating the readings of internet-exposed ATG systems.
June 3, 2026
Kela
Cybersecurity
Inside The Gentlemen Data Breach
Breaking down how this Ransomware-as-a-Service group has surged in the threat rankings.
June 2, 2026
Phishing Tadamichi
Cybersecurity
Report Details New Phishing Scheme
How calendar invite files are now being used to unleash malware.
June 2, 2026
Hacker In Clouds Leolintang
Cybersecurity
The Expanding OT Threat
These attacks are finally being recognized for impacts that go beyond just a single enterprise.
May 29, 2026
Soc
Cybersecurity
OT Remote Access Compliance Tool Helps Control Audit Costs
Continuous audit evidence is built into OT and CPS remote access - eliminating manual work.
May 29, 2026
Encryption
Cybersecurity
The Risks of Delaying Quantum Encryption Strategies
The mindset is understandable, but dangerous.
May 29, 2026
Ai
Cybersecurity
The Hidden Pitfalls of AI Integration in Manufacturing
The question is not whether AI can be useful, but whether it can be integrated without compromise.
May 29, 2026