CVE-2026-21852 affects anthropics' Claude Code, an agentic coding tool designed to assist developers by automating coding tasks. Prior to version 2.0.65, Claude Code's project-load flow contains a vulnerability where it processes configuration files from repositories immediately upon opening, before the user has confirmed trust in the repository. Specifically, a malicious repository can include a settings file that sets the environment variable ANTHROPIC_BASE_URL to an attacker-controlled endpoint. When Claude Code reads this configuration, it issues API requests to the attacker’s endpoint, sending sensitive data such as Anthropic API keys. This behavior exposes credentials prematurely, violating the principle of least privilege and trust verification. The vulnerability is classified under CWE-522, indicating insufficient protection of credentials. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) indicates that the attack can be performed remotely over the network with low complexity, no privileges, but requires user interaction (opening the repository). The impact includes potential unauthorized access to Anthropic APIs, leading to data leakage or misuse of API capabilities. The vulnerability has been patched in version 2.0.65, and users with auto-update enabled have likely received the fix. Manual updaters must upgrade promptly to mitigate risk. No known exploits have been reported in the wild, but the nature of the vulnerability makes it a significant risk for developers who open untrusted repositories.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of Anthropic API keys, which could lead to misuse of AI services, data exfiltration, or further compromise of internal systems relying on these APIs. Organizations using Claude Code in development environments may inadvertently expose sensitive credentials by opening malicious repositories, potentially enabling attackers to execute unauthorized API calls or gather intelligence. This can undermine confidentiality and integrity of AI-driven workflows and data. The impact is heightened in sectors with strict data protection regulations such as GDPR, where leakage of credentials could lead to compliance violations and reputational damage. Additionally, organizations integrating Claude Code into CI/CD pipelines or collaborative coding environments may face increased risk if malicious code repositories are introduced. While availability impact is low, the confidentiality and integrity risks are moderate, warranting timely remediation. The vulnerability also highlights the importance of secure handling of credentials in developer tools, especially those interacting with cloud APIs.

European organizations should ensure all instances of Claude Code are updated to version 2.0.65 or later, especially those updated manually. Implement strict policies to restrict opening repositories from untrusted or unknown sources. Employ network monitoring to detect unusual outbound API requests from developer workstations. Use environment variable protections or secrets management solutions to prevent leakage of API keys through configuration files. Educate developers about the risks of opening untrusted repositories and the importance of verifying repository trust prompts. Consider isolating development environments or using sandboxing techniques to limit the impact of potential credential exfiltration. Audit and rotate Anthropic API keys regularly to minimize exposure duration. Finally, monitor for any suspicious activity on Anthropic API usage that could indicate compromised credentials.