Critical RCE Vulnerability Patched in Anthropic’s Claude Code AI Assistant
On May 12, 2026, security researcher Joernchen of 0day.click disclosed a severe remote code execution (RCE) vulnerability in Anthropic’s Claude Code, an AI-powered coding assistant. The flaw, now fixed in version 2.1.118, allowed attackers to execute arbitrary shell commands on a victim’s system via maliciously crafted claude-cli:// deeplinks.
The vulnerability stemmed from a flawed eagerParseCliFlag function in Claude Code’s main.tsx, which parsed command-line flags like --settings before the application fully initialized. The function indiscriminately scanned the entire command-line array for strings starting with --settings=, failing to distinguish between legitimate flags and argument values. When combined with Claude Code’s deeplink handler which accepted a q parameter to prefill user prompts attackers could embed a malicious --settings payload within the q parameter, tricking the parser into processing it as a valid flag.
By injecting a crafted JSON payload into the settings, attackers could exploit a SessionStart hook a legitimate feature designed to run commands at session start to execute arbitrary shell commands. A proof-of-concept deeplink demonstrated the attack on macOS, silently launching the Calculator app and writing system details to a file without user interaction beyond clicking the link.
The exploit’s severity was compounded by a secondary issue: the workspace trust dialog could be bypassed entirely if the deeplink’s repo parameter matched a previously trusted repository, such as anthropics/claude-code. This allowed command execution to occur silently in the background.
Anthropic patched the vulnerability in version 2.1.118, addressing the underlying issue of context-free CLI parsing a known injection vector. The incident underscores the risks of improper flag parsing, where arguments must be evaluated in full context to prevent exploitation. Organizations using Claude Code are advised to ensure they are running the latest version.
Source: https://cyberpress.org/claude-code-rce-vulnerability/
Anthropic cybersecurity rating report: https://www.rankiteo.com/company/anthropicresearch
"id": "ANT1779085461",
"linkid": "anthropicresearch",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of vulnerable versions of '
'Claude Code',
'industry': 'Artificial Intelligence / Software '
'Development',
'name': 'Anthropic',
'type': 'Company'}],
'attack_vector': 'Maliciously crafted claude-cli:// deeplinks',
'customer_advisories': 'Users advised to update to the latest version of '
'Claude Code.',
'date_detected': '2026-05-12',
'date_publicly_disclosed': '2026-05-12',
'date_resolved': '2026-05-12',
'description': 'A severe remote code execution (RCE) vulnerability was '
'disclosed in Anthropic’s Claude Code, an AI-powered coding '
'assistant. The flaw allowed attackers to execute arbitrary '
'shell commands on a victim’s system via maliciously crafted '
'claude-cli:// deeplinks. The vulnerability was patched in '
'version 2.1.118.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'critical vulnerability',
'operational_impact': 'Arbitrary shell command execution on '
'affected systems',
'systems_affected': 'Victim’s system running vulnerable versions '
'of Claude Code'},
'investigation_status': 'Resolved',
'lessons_learned': 'Risks of improper flag parsing and the importance of '
'evaluating arguments in full context to prevent '
'exploitation.',
'post_incident_analysis': {'corrective_actions': 'Fixed CLI flag parsing and '
'workspace trust dialog '
'logic in version 2.1.118',
'root_causes': 'Flawed eagerParseCliFlag function, '
'improper CLI flag parsing, and '
'workspace trust dialog bypass'},
'recommendations': 'Organizations using Claude Code should ensure they are '
'running the latest version (2.1.118 or later).',
'references': [{'date_accessed': '2026-05-12',
'source': '0day.click (Joernchen)'}],
'response': {'communication_strategy': 'Public disclosure by security '
'researcher and patch release',
'containment_measures': 'Patch released in version 2.1.118',
'remediation_measures': 'Fixed flawed CLI flag parsing and '
'workspace trust dialog bypass'},
'title': 'Critical RCE Vulnerability Patched in Anthropic’s Claude Code AI '
'Assistant',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'Flawed eagerParseCliFlag function in main.tsx, '
'improper CLI flag parsing, and workspace trust '
'dialog bypass'}