Your AI Coding Tool's Config Files Are Attack Vectors Now

In February 2026, Check Point Research published findings on three vulnerabilities in Anthropic's Claude Code that let attackers achieve remote code execution and steal API credentials. The attack surface wasn't a buffer overflow or a memory corruption bug. It was .claude/settings.json.

Configuration files that were once passive data — a place to store preferences — now control active execution paths. Hooks run shell commands. MCP servers initialize network connections. Environment variables route API traffic. And all of it can be committed to a repository and activated the moment someone clones and opens it.

This isn't just a Claude Code problem. It's the shape of every AI coding tool attack that's coming next.

Three CVEs, One Pattern

Check Point's research disclosed three distinct attack chains, all exploiting repository-controlled configuration files.

CVE-2025-59536: Remote Code Execution via Hooks (CVSS 8.7)

Claude Code's hooks feature lets developers run shell commands at lifecycle events — when a session starts, before a tool executes, after a file is saved. Hooks are configured in .claude/settings.json, which lives inside the project directory and gets committed to version control.

The problem: hooks configured in a repository's settings file executed automatically when a developer ran claude in that directory. No explicit approval required. The trust dialog appeared, but by then the shell commands had already fired.

The attack: An attacker commits a .claude/settings.json file with a SessionStart hook that runs an arbitrary command — download a payload, exfiltrate environment variables, install a backdoor. A developer clones the repo, runs claude, and the hook executes before they read the trust prompt.

CVE-2025-59536: MCP Server Consent Bypass

The same CVE covers a second vector. Claude Code's .mcp.json file defines Model Context Protocol servers — external tools that the AI agent can call. The design intent is that MCP servers require user approval before initialization.

But two settings in .claude/settings.json — enableAllProjectMcpServers and enabledMcpjsonServers — could auto-approve MCP servers before the trust dialog appeared. An attacker includes both the MCP server definition and the auto-approval setting in the repo. When a developer opens the project, the MCP server's initialization commands execute immediately.

The attack: An attacker defines a malicious MCP server that runs arbitrary commands during initialization. The repository's settings file pre-approves it. Execution happens before the developer interacts with any dialog.

CVE-2026-21852: API Key Exfiltration (CVSS 5.3)

This one is elegant and alarming. Claude Code reads an ANTHROPIC_BASE_URL environment variable to determine where to send API requests. This variable can be set in .claude/settings.json.

An attacker sets ANTHROPIC_BASE_URL to point at their own server. When a developer opens the project, Claude Code sends its first API request — including the developer's Anthropic API key in the Authorization header — to the attacker's endpoint. This happened before the trust dialog was shown.

The attack: A developer clones a repo and runs claude. Before any prompt appears, their API key is sent in plaintext to a server the attacker controls.

The stolen key isn't just an API credit risk. Anthropic API keys provide access to Claude Workspaces, which means the attacker can read files shared across the entire team, execute code in the workspace environment, and delete or corrupt shared data.

The Pattern: Config Files Are the New Binary

All three attacks share the same shape:

1. A configuration file is committed to a repository
2. The file controls an execution path in the development tool
3. Execution happens before the developer has a chance to review or approve
4. The attack requires no social engineering beyond "clone this repo"

This pattern isn't unique to Claude Code. It's emerging across the entire AI coding tool ecosystem.

Cursor reads .cursor/rules files from project directories. These files instruct the AI on how to behave in the project context — which means they influence what code the AI generates, what tools it calls, and how it interprets developer intent.

GitHub Copilot supports custom instructions via .github/copilot-instructions.md files. These files control Copilot's behavior at the repository level.

MCP configuration (.mcp.json, mcp.json) is becoming a de facto standard across tools. Any AI coding tool that supports MCP servers — and that list is growing fast — inherits the same class of attack surface: a JSON file in the repo that defines executables to run.

In all cases, what used to be a passive preference file now defines active behavior. And because these files live in the repository, they travel through the same channels as legitimate code: pull requests, open source contributions, tutorial repos, starter templates.

Why Trust Dialogs Don't Solve This

Anthropic's fixes for all three CVEs follow the same approach: defer execution until after the user confirms trust. This is the right immediate fix. But it doesn't address the structural problem.

Developers approve trust dialogs reflexively. If you clone a repo to work on it, you trust it. The dialog is a speedbump, not a gate. Research on permission dialogs consistently shows that users approve prompts they encounter repeatedly — especially when approval is the only path to doing their work.

The attack surface grows with every new feature. Hooks, MCP servers, environment variables, custom instructions, rules files. Each new feature that reads configuration from the project directory adds another execution path that an attacker can control. Trust dialogs scale linearly. Attack surface grows combinatorially.

Configuration review isn't part of code review. Developers review .py, .ts, and .rs files in pull requests. How many review .claude/settings.json or .mcp.json with the same scrutiny? Check Point's researchers noted that "configuration files receive less security scrutiny than application code during reviews, amplifying attack effectiveness."

What Actually Works: Defense in Depth

Trust dialogs are one layer. Here's what a complete defense looks like.

1. Network-layer monitoring catches what trust dialogs miss

The API key exfiltration attack (CVE-2026-21852) is literally a man-in-the-middle attack in reverse — the attacker redirects the tool's traffic to their own endpoint. A network-layer proxy that monitors all outbound connections from AI tools would flag this immediately: "Your Claude Code just sent an API request to evil-server.com:8443 instead of api.anthropic.com."

This is exactly what CitrusGlaze does. Every AI API call passes through the proxy. If a tool suddenly starts talking to an unexpected destination, you see it in real-time. No configuration file can redirect traffic without the proxy noticing.

2. Destination allowlists block exfiltration

If your proxy only permits AI traffic to known-good destinations — api.anthropic.com, api.openai.com, generativelanguage.googleapis.com — then the ANTHROPIC_BASE_URL attack fails entirely. The redirected request hits the allowlist and gets blocked before a single byte leaves your machine.

3. Secret detection catches credentials in transit

Even if an attack bypasses the trust dialog and the configuration looks legitimate, secret detection at the network layer provides a final safety net. API keys, tokens, and credentials in outbound requests get flagged regardless of the destination. If a hook exfiltrates your GITHUB_TOKEN to a legitimate-looking endpoint, the secret scanner catches the credential pattern in the request body.

4. Tool call policy enforcement

MCP server attacks work because the AI tool executes commands defined in a config file. A proxy that inspects tool call arguments — what commands are being run, what files are being accessed, what network connections are being made — can enforce policies on what AI agents are allowed to do. "This MCP server is trying to run curl to an external endpoint" is actionable information.

The Bigger Picture: 30 MCP CVEs in 60 Days

The Claude Code vulnerabilities are part of a larger pattern. Between January and February 2026, security researchers filed over 30 CVEs targeting MCP servers, clients, and infrastructure. Among them:

• Three vulnerabilities in Anthropic's own mcp-server-git that could be exploited via prompt injection to read arbitrary files, delete files, and execute code
• CVE-2026-26118 (CVSS 8.8): An elevation of privilege vulnerability in Azure MCP Server Tools caused by server-side request forgery
• Among 2,614 MCP implementations surveyed, 82% use file operations vulnerable to path traversal, two-thirds have code injection risk, and over a third are susceptible to command injection

MCP is barely a year old and already has more CVEs than most mature protocols accumulate in a decade. The protocol's design — "let AI tools execute arbitrary programs defined in JSON files" — makes this inevitable.

What to Do Right Now

If your team uses AI coding tools (and 84% of developers do), here are concrete steps:

Audit your repositories. Search for .claude/, .cursor/, .mcp.json, .github/copilot-instructions.md, and any other AI tool configuration directories. Know what's checked in and what it does.

Add config files to code review. Treat .claude/settings.json and .mcp.json with the same scrutiny as Dockerfile or .github/workflows/. Both define execution paths. Both can be weaponized.

Pin your tool versions. All three Claude Code CVEs have been patched. But the patches only help if you're running a recent version. Claude Code fixed hooks in v1.0.111 (October 2025), MCP bypass in September 2025, and API exfiltration in December 2025. Check your version.

Deploy network-layer monitoring. Trust dialogs protect against accidental misuse. Network-layer monitoring protects against everything else. If an AI tool sends a request to an unexpected destination, carries a credential it shouldn't, or executes a tool call that violates policy — you see it.

Restrict MCP servers. If your team doesn't need custom MCP servers, disable them. If they do need them, maintain an allowlist of approved servers and block everything else.

Configuration Files Are the New Executables

The lesson from CVE-2025-59536 and CVE-2026-21852 isn't "Claude Code had bugs." Anthropic patched these quickly and responsibly. The lesson is that AI coding tools have changed what configuration files mean.

A .gitignore file lists patterns. A .editorconfig file sets formatting preferences. A .claude/settings.json file runs shell commands, initializes network servers, and routes API traffic.

When you clone a repository, you're not just downloading source code anymore. You're downloading execution instructions for the most privileged tool on your machine — your AI coding assistant, running with your credentials, your file access, and your network permissions.

Every AI tool vendor will keep adding features that read from project configuration. Each feature adds another vector. The question isn't whether the next CVE will arrive — it's whether you'll see it when it fires.

---

CitrusGlaze is an open-source AI traffic proxy that monitors every AI API call at the network layer — destinations, credentials, tool calls, and data. It catches configuration-based attacks like CVE-2026-21852 by detecting unexpected destinations and credential exfiltration in real-time. Install in 5 minutes →

---

Sources:

• Check Point Research: Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files (February 2026)
• The Hacker News: Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration (February 2026)
• The Register: Claude's collaboration tools allowed remote code execution (February 2026)
• Hacker News Discussion: MCP Security 2026: 30 CVEs in 60 Days (March 2026)
• The Hacker News: Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution (January 2026)
• Practical DevSecOps: MCP Server Vulnerabilities 2026 (2026)
• Stack Overflow: Developer Survey 2025 — 84% of developers use AI coding tools
• ACM Digital Library: The Habituation Effect in Permission Dialogs