Back

Multiple Vulnerabilities in Claude Code Expose Users to Security Risks

Severity: High (Score: 70.5)

Sources: www.sentinelone.com, nvd.nist.gov

Summary

Claude Code, an agentic coding tool by Anthropic, has been found to have multiple vulnerabilities affecting various versions. CVE-2026-33068 allows attackers to bypass the trust dialog, enabling arbitrary tool execution without user consent. CVE-2026-25723 permits file write restrictions to be bypassed through improper command validation, potentially leading to system compromise. CVE-2026-21852 enables data exfiltration of sensitive API keys before user trust is confirmed. CVE-2025-59536 allows code execution prior to user acceptance of the startup trust dialog. Users are advised to update to the latest versions to mitigate these risks. The vulnerabilities primarily affect users of Claude Code versions prior to the specified patches. The attack vectors involve network access and user interaction, highlighting the need for vigilance in repository management and command execution. Key Points: • CVE-2026-33068 allows bypassing of trust dialogs in Claude Code. • CVE-2026-25723 enables unauthorized file writes to sensitive directories. • Users are urged to update to the latest versions to address these vulnerabilities.

Key Entities

  • Data Exfiltration (attack_type)
  • Zero-day Exploit (attack_type)
  • Code Injection (attack_type)
  • CVE-2025-59536 (cve)
  • CVE-2026-21852 (cve)
  • CVE-2026-25723 (cve)
  • CVE-2026-33068 (cve)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • CWE-20 - Improper Input Validation (cwe)
  • CWE-94 - Code Injection (cwe)
  • T1059.004 - Unix Shell (mitre_attack)
  • T1567 - Exfiltration Over Web Service (mitre_attack)
  • Claude Code (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed