Claude.ai chained exploits reported

Oasis Security published a technical report dubbed "Claudy Day" on March 18, 2026, and posted a linked full whitepaper describing the chained exploit pipeline. (oasis.security)) The team documented an invisible URL-based prompt injection that abuses the claude.ai/new?q= parameter by embedding HTML tags that are invisible in the chat box but fully parsed by Claude. (oasis.security)) Their proof shows an attacker can place an attacker-controlled API key inside that hidden prompt and instruct Claude to compile conversation content into a file and upload it via Anthropic’s Files API (api.anthropic.com) to the attacker’s Anthropic account. (oasis.security)) Oasis reported the findings to Anthropic through its Responsible Disclosure Program, and Anthropic has patched the prompt-injection vector while Oasis says the Files API abuse and the claude.com open-redirect are still being addressed. (oasis.security)) The researchers mapped how the open redirect at claude.com/redirect/<target> can be used to get a Google ad approved showing a claude.com hostname while landing victims on a crafted injection URL. (darkreading.com)) Oasis’s advisories list concrete mitigations — sanitize URL-based prompt inputs, audit sandbox network access (including allowed endpoints), and require explicit user approval before any first-prompt actions — and the report page hosts the full technical breakdown and PoC material. (oasis.security)) Coverage ran across outlets on March 18–19, 2026, with DarkReading, DataBreachToday, and BankInfoSecurity summarizing Oasis’s disclosure and noting Anthropic’s patch status and ongoing remediation. (darkreading.com))