Back

Critical RCE Vulnerability in Claude Code CLI Exposed via Malicious Deeplinks

Severity: High (Score: 70.5)

Sources: Neuraltrust.Ai, Letsdatascience, Cybersecuritynews, Gbhackers

Published: 2026-05-18 · Updated: 2026-05-19

Keywords: code, claude, attackers, commands, execute, vulnerability, crafted

Severity indicators: vulnerability

Summary

A critical Remote Code Execution (RCE) vulnerability was discovered in Anthropic's Claude Code CLI, allowing attackers to execute arbitrary commands on a victim's machine through specially crafted deeplinks. Identified by security researcher Joernchen, the flaw stemmed from insecure CLI flag parsing, which was exploited by injecting command fragments into deeplink URLs. This vulnerability, now patched in version 2.1.118, highlights the risks associated with convenience features in developer tools when input validation is inadequate. The issue was documented in various reports, emphasizing the need for secure handling of deeplink inputs. Security teams are advised to update to the patched version and review their CLI security practices. The vulnerability underscores a recurring class of issues in AI development tools, where traditional software flaws can lead to severe security risks. Key Points: • A critical RCE vulnerability in Claude Code CLI was disclosed, affecting user systems. • The flaw allowed execution of arbitrary commands via crafted deeplink URLs. • The issue has been patched in version 2.1.118; users are urged to update immediately.

Detailed Analysis

**Impact** Users of Anthropic’s Claude Code CLI tool across all sectors relying on AI development environments are affected. The vulnerability allowed remote code execution on any machine where the CLI was installed and reachable via deeplink, potentially compromising developer workstations globally. There is no specific data breach reported, but arbitrary command execution risks operational disruption, unauthorized access to local files, and lateral movement within development networks. **Technical Details** The attack vector exploited insecure parsing of command-line flags in the deeplink handler of Claude Code CLI, specifically in the eagerParseCliFlag function. Malicious actors crafted deeplink URLs using the claude-cli:// protocol with injected flags in the query parameter, enabling arbitrary command execution at the CLI startup phase. The flaw was patched in version 2.1.118. No CVE identifiers or malware/tool names were mentioned. The vulnerability occurs at the initial execution stage of the kill chain, leveraging user interaction with malicious deeplinks. **Recommended Response** Immediately update Claude Code CLI to version 2.1.118 or later to apply the patch. Monitor for suspicious deeplink activations and CLI invocations originating from untrusted sources. Harden endpoint configurations by restricting deeplink protocol handlers to trusted applications and users. Implement logging and alerting on unusual command-line arguments passed to the CLI and review privilege levels of processes handling deeplink inputs.

Source articles (4)

  • Claude Code Vulnerability Allows Attackers to Run Commands Through Crafted Deeplinks — Gbhackers · 2026-05-18
    A recently disclosed flaw in Claude Code allowed attackers to execute arbitrary system commands using a single crafted deeplink URL, turning a convenience feature into a remote code execution (RCE) ve…
  • Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks — Cybersecuritynews · 2026-05-18
    A critical remote code execution (RCE) vulnerability has been discovered in Anthropic’s Claude Code CLI tool, allowing attackers to execute arbitrary commands on a victim’s machine by tricking them in…
  • Claude Code exposes deeplink-based remote command execution | Let's Data Science — Letsdatascience · 2026-05-18
    According to reporting indexed by itsecuritynews.info from GBHackers Security, security researcher Joernchen disclosed a vulnerability in Anthropic's Claude Code CLI that allowed execution of arbitrar…
  • The Claude Code RCE: When Eager Parsing Leads to Remote Execution — Neuraltrust.Ai · 2026-05-18
    The security landscape for AI developer tools shifted recently with the discovery of a critical Remote Code Execution (RCE) vulnerability in Anthropic’s Claude Code CLI. This flaw, identified by secur…

Timeline

  • 2026-05-18 — RCE vulnerability disclosed: Joernchen reported a critical RCE flaw in Claude Code CLI, enabling command execution via deeplinks.
  • 2026-05-18 — Vulnerability patched: Anthropic released version 2.1.118 of Claude Code, fixing the RCE vulnerability.
  • 2026-05-18 — Public awareness raised: Multiple cybersecurity outlets reported on the vulnerability, emphasizing its implications for developer tools.

Related entities

  • Remote Code Execution (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Anthropic (Company)
  • CWE-78 - OS Command Injection (Cwe)
  • eagerparsecliflag.in (Domain)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1203 - Exploitation for Client Execution (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • Claude Code (Tool)
  • Claude Code CLI (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed