Anthropic faces security flaws

Researchers have spent the past few months surfacing a pattern across Anthropic’s Claude products: the weak point is often not the model alone, but the boundary between trusted and untrusted inputs. In February, Check Point Research disclosed flaws in Claude Code that it said could let attackers execute shell commands or steal Anthropic API keys when a developer cloned and opened a malicious repository. The attack paths relied on repository-level settings, Hooks, Model Context Protocol integrations and environment variables that were processed before or around user trust prompts, according to Check Point and Anthropic’s advisory. (blog.checkpoint.com) The specifics matter because they show how “configuration” can become execution. Check Point said a malicious project could abuse `.claude/settings.json`, `.mcp.json` and related startup flows so that opening a repo was enough to trigger hidden commands or redirect authenticated traffic. Anthropic said one issue, CVE-2026-21852, could leak API keys if `ANTHROPIC_BASE_URL` was pointed to an attacker-controlled endpoint before the trust prompt appeared. (blog.checkpoint.com) Those Claude Code issues were fixed across releases in late 2025 and January 2026, according to Anthropic and reporting on the disclosure. The fixes covered a consent-bypass bug, CVE-2025-59536, and the key-exfiltration issue, CVE-2026-21852. (thehackernews.com) A separate disclosure in March pointed to the same class of problem in Anthropic’s Chrome extension. Koi Security researcher Oren Yomtov said the “ShadowPrompt” flaw let any website silently inject prompts into Claude’s browser assistant by chaining an overly broad `*.claude.ai` allowlist with a DOM-based XSS bug in an Arkose Labs CAPTCHA component. The result, he said, was that the extension treated attacker-supplied instructions as if they were user requests. (thehackernews.com) According to The Hacker News, the extension flaw could have let attackers steal tokens, access conversation history and perform actions on a user’s behalf. Anthropic patched the extension in version 1.0.41, and Arkose Labs fixed the XSS issue on February 19, 2026, the report said. (thehackernews.com) Taken together, the disclosures describe a recurring security problem in agent systems: the model may be following instructions correctly, while the surrounding product mislabels where those instructions came from. Yomtov framed it as a trust-boundary failure, saying the security of an autonomous browser agent is only as strong as “the weakest origin in its trust boundary.” Check Point made a similar point in the developer-tool context, saying repository metadata had effectively become part of the execution layer. (thehackernews.com) At the same time, Anthropic is also promoting Claude as a security tool. On April 7, the company published technical details on Claude Mythos Preview and said it had launched Project Glasswing to help secure critical software. Anthropic said Mythos was capable of identifying and exploiting zero-day vulnerabilities in major operating systems and browsers during testing, and said more than 99% of the vulnerabilities it found had not yet been patched, limiting what it could disclose publicly. (red.anthropic.com) That capability is now showing up in outside reporting. Engadget and Mashable, citing The Wall Street Journal and a Calif blog post, said researchers at Palo Alto-based Calif used Mythos Preview to help identify bugs and build a privilege-escalation exploit affecting macOS. Calif described the work as the first public macOS kernel memory corruption exploit on Apple M5, while Apple said it takes potential vulnerability reports seriously and met with the researchers at Apple Park in Cupertino. Full technical details are being held until Apple fixes the vulnerabilities and attack path, the reports said. (engadget.com) The thread running through both sets of news is concrete. Anthropic’s tools are being used to find serious bugs, but Anthropic’s own products have also been shown to create new attack surfaces when trust checks happen too late, or in the wrong place. (blog.checkpoint.com)