{"id":4136,"date":"2026-05-22T21:11:42","date_gmt":"2026-05-22T21:11:42","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/05\/22\/attackers-can-exploit-a-claude-code-rce-flaw-to-take-command-of-system\/"},"modified":"2026-05-22T21:11:42","modified_gmt":"2026-05-22T21:11:42","slug":"attackers-can-exploit-a-claude-code-rce-flaw-to-take-command-of-system","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/05\/22\/attackers-can-exploit-a-claude-code-rce-flaw-to-take-command-of-system\/","title":{"rendered":"Attackers Can Exploit a Claude Code RCE Flaw to Take Command of System"},"content":{"rendered":"
\"\"<\/div>\n

\"\"<\/p>\n

A dangerous vulnerability found in Anthropic\u2019s popular Claude Code developer<\/a> model could have allowed bad actors to grab control of a victim\u2019s system by luring them into clicking on a crafted malicious deeplink.<\/p>\n

Once in, the attacker could exploit the remote code execution (RCE) security flaw to execute arbitrary commands \u2013 such as shell commands \u2013 into the target\u2019s Claude Code model.<\/p>\n

The vulnerability in version 2.1.118 of the model has since been fixed, but it\u2019s another example of the security issues in these developer-focused tools that arise as adoption accelerates.<\/p>\n

A survey<\/a> of more than 1,000 developers around the world by CodeSignal, which offers an AI-native skills platform to assess and develop technical talent, found that 81% of respondents said they\u2019re using AI for development, with companies increasingly mandating the use of coding assistants.<\/p>\n

The RCE vulnerability in Claude Code was uncovered by security researcher Joernchen of 0day.click as he manually worked through the model\u2019s source code \u201clooking at different configuration options and tried to see what\u2019s actually \u2018useful\u2019 from an attacker\u2019s perspective.\u201d<\/p>\n

A Parsing Problem<\/h3>\n

After doing some \u201cspelunking in the early-executed code in main.tsx,\u201d Joernchen wrote<\/a> that he found a problem in the eagerParseCliFlag\u00a0function in the model\u2019s main.tsx, which is used to parse certain command-line flag like \u2013settings before the main initialization route runs.<\/p>\n

The issue stemmed from\u00a0eagerParseCliFlag, a function in\u00a0main.tsx\u00a0designed to parse critical flags like\u00a0\u2013settings\u00a0before the main initialization routine runs.<\/p>\n

\u201cI came to the conclusion that this style of parsing was very handy to exploit Claude Code\u2019s deeplink handling,\u201d the researcher wrote. \u201cTraditionally deeplink handlers tend to be vulnerable to some shell escape issues. This however was not the problem here.\u201d<\/p>\n

At issue, he wrote, is that eagerParseCliFlag\u00a0\u201cnaively parsed\u201d the entire command line with any string starting with \u201c\u2013settings=\u2026,\u201d rather than the actual command line flags and their values.<\/p>\n

Injecting Arbitrary Settings<\/h3>\n

\u201cThis created a conveniently exploitable vulnerability when combined with the Claude Code deeplink handler for\u00a0claude-cli:\/\/open\u00a0URIs,\u201d Joernchen wrote. \u201cBecause of this parsing behavior, it was possible to inject arbitrary settings into the spawned Claude Code instance, including the execution of arbitrary commands via a\u00a0hooks\u00a0setting.\u201d<\/p>\n

The deeplink handler would use an option aimed at prefilling the user prompt with the deeplink\u2019s\u00a0q\u00a0parameter. However, the very eager settings parser didn\u2019t see that any\u00a0\u2013settings=\u2026\u00a0which is used as an argument to the\u00a0\u2013prefill\u00a0CLI option, is an argument to the option and not an option itself. The result was the eager parser would process it as a legitimate settings flag.<\/p>\n

The Model Spawns<\/h3>\n

Joernchen showed an example of how to inject a SessionStart hook via a crafted deep link aimed at the macOS operating system. If the target opens the link, the Claude model spawns, creating a new and independent agent that includes the settings supplied by the attacker, complete with the injected command. The command goes into action when the session starts, without the user having to do anything else.<\/p>\n

Adding to the problem, a bad actor could bypass the workspace trust dialog, according to Joernchen.<\/p>\n

\u201cIf the repo parameter in the deep link is set to a repository the user has already cloned locally and trusted (like\u00a0anthropics\/claude-code), the execution happened without any warning prompts,\u201d the researcher wrote.<\/p>\n

He added that \u201cthe pattern of using\u00a0startsWith\u00a0on the full command line array is a somewhat problematic anti-pattern that allows flags to be sneaked into values. The parsing of command line flags and their arguments should always be done in full context to prevent this exact type of injection.\u201d<\/p>\n

Read More<\/a><\/p>\n

\u200b<\/p>","protected":false},"excerpt":{"rendered":"

A dangerous vulnerability found in Anthropic\u2019s popular Claude Code developer model could have allowed bad actors to grab control of […]<\/p>\n","protected":false},"author":1,"featured_media":4137,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4136","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4136"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4136\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4137"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}