Headline
GHSA-jh7p-qr78-84p7: Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
A vulnerability in Claude Code’s project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPIC_BASE_URL to an attacker-controlled endpoint, Claude Code would issue API requests before showing the trust prompt, including potentially leaking the user’s API keys.
Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2026-21852
Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
Moderate severity GitHub Reviewed Published Jan 20, 2026 in anthropics/claude-code • Updated Jan 21, 2026
Package
npm @anthropic-ai/claude-code (npm)
Affected versions
< 2.0.65
A vulnerability in Claude Code’s project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPIC_BASE_URL to an attacker-controlled endpoint, Claude Code would issue API requests before showing the trust prompt, including potentially leaking the user’s API keys.
Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.
References
- GHSA-jh7p-qr78-84p7
Published to the GitHub Advisory Database
Jan 21, 2026
Last updated
Jan 21, 2026