Anthropic Claude Code RCE patched

Anthropic patched a remote-code-execution flaw in Claude Code after a malicious `claude-cli://` deeplink could inject settings and execute shell commands on a user’s machine, according to a public disclosure published May 12 by researcher Joernchen and subsequent reporting on May 18. The flaw affected Claude Code’s deeplink flow and was fixed in version 2.1.118, according to the disclosure and Anthropic-linked release materials. The bug is the latest in a string of Claude Code security issues disclosed this year, including previously patched flaws involving malicious project files and a sandbox escape. The episode adds to scrutiny of coding agents that can read files, run shell commands and connect to external services. ### How did the deeplink bug work? Joernchen said the flaw came from an `eagerParseCliFlag` function in Claude Code’s `main.tsx` that scanned the full command-line array for strings beginning with `--settings=` before the main initialization process ran. According to the disclosure, the parser failed to distinguish between a real standalone flag and text embedded inside another argument’s value. The `claude-cli://open` deeplink handler accepted a `q` parameter used to prefill a prompt through the `--prefill` option, the disclosure said. (cyberpress.org) By placing a malicious `--settings=` payload inside that `q` parameter, an attacker could register a `SessionStart` hook and run arbitrary shell commands when the link opened, according to the researcher’s proof of concept. ### Why did the researcher say one click could be enough? (cyberpress.org) A proof-of-concept deeplink published by Joernchen showed a payload that opened Apple’s Calculator app and wrote system identity details to a temporary file on macOS. The disclosure said the only user action required was opening the crafted link. Joernchen also said Claude Code’s workspace trust dialog could be bypassed if the `repo` parameter in the deeplink matched a repository the user had already cloned and trusted locally. (cyberpress.org) In that case, the researcher said, no warning prompt appeared and the command ran in the background. ### Was this an isolated Claude Code issue? Check Point Research said on February 25 that it had found separate Claude Code vulnerabilities that allowed remote code execution and API-key theft through malicious project configurations. (cyberpress.org) The researchers said those issues involved hooks, Model Context Protocol servers and environment variables, and that Anthropic patched them before publication. GitHub’s advisory database separately lists CVE-2026-39861, a high-severity Claude Code sandbox-escape bug affecting versions earlier than 2.1.64. GitHub said that flaw allowed arbitrary file writes outside the workspace and that users on standard auto-update had received the fix automatically. ### What can Claude Code reach once it is connected to outside services? Vercel’s documentation says its official MCP server lets approved AI clients, including Claude Code, search documentation, manage projects and deployments, and analyze deployment logs. (research.checkpoint.com) Vercel’s setup instructions also show Claude Code commands for adding the MCP server and authenticating it. Anthropic’s own Vercel plugin page says the Claude Code integration can manage deployments, builds, logs, domains and frontend infrastructure directly. (github.com) Composio’s Claude Code documentation for Vercel says its toolkit can create deployments, create or delete authentication tokens, manage environment variables and retrieve deployment logs, among other actions. ### What did Anthropic ship after the patch? Anthropic’s Claude Code changelog shows version 2.1.143 was published on May 15, 2026, with additional fixes and changes including plugin dependency enforcement and updates to background sessions and PowerShell behavior. (vercel.com) The changelog page says it is generated from the project’s `CHANGELOG.md` on GitHub. GitHub’s repository page for `anthropics/claude-code` shows active development continuing as of May 18, 2026, with the changelog updated within hours of the latest crawl. (claude.com) Vercel’s MCP documentation remains live, and Composio’s Claude Code integration pages continue to advertise authenticated access to third-party services through MCP-based connectors. (github.com) (code.claude.com)