Claude Code Vulnerability Allows Bypass of Safety Rules via Subcommand Injection

Claude Code Vulnerability Allows Bypass of Safety Rules via Subcommand Injection

First seen 1 Apr 2026, 23:02 UTC TheregisterScworldCsoonlineCybersecuritynewsGbhackers+3 86% similarity 67.5

Article Content

Browse articles
ThreatCluster

A vulnerability in Claude Code allows the AI to bypass its deny rules when presented with a chain of over 50 subcommands. Discovered by Adversa, a Tel Aviv-based security firm, this flaw exposes the AI to prompt injection attacks, potentially enabling unauthorized actions like executing network requests via curl. The issue arises from a hard cap of 50 security subcommands, beyond which Claude Code defaults to asking for user permission. This oversight was not anticipated for AI-generated commands, leading to a proof-of-concept attack where a malicious command was constructed to exploit this limitation. The risk is particularly high in automated environments, such as CI/CD pipelines, where human oversight may be lacking. Anthropic has developed an internal fix but has not yet released it publicly. The vulnerability raises significant regulatory and compliance concerns if left unaddressed.

Key Points: • Claude Code's security rules can be bypassed with over 50 subcommands. • The vulnerability allows for prompt injection attacks, posing risks in automated environments. • Anthropic has an internal fix available but has not released it publicly.

ThreatCluster AI

Timeline

2026-04-01
Adversa reports vulnerability in Claude Code
2026-04-01
Proof-of-concept attack demonstrated by Adversa
2026-04-01
Anthropic acknowledges internal fix for the vulnerability

Community

Browse all →