A remote code execution vulnerability in Anthropic’s Claude Code let attackers execute arbitrary commands on developer machines by crafting a malicious deeplink. The flaw, found in the eagerParseCliFlag function in main.tsx, affected version 2.1.118 and has since been patched.

How the Exploit Works
Security researcher Joernchen of 0day.click discovered the vulnerability while reviewing Claude Code’s source code. The issue lies in how the eagerParseCliFlag function handles command-line arguments. The function naively parsed the entire command line with any string starting with “–settings=…” rather than properly handling flags and their values.
When combined with Claude Code’s deeplink handler for claude-cli://open URIs, an attacker could inject arbitrary settings into a spawned Claude Code instance. This included the ability to execute arbitrary commands via a “hooks” setting.
The attack vector works like this: an attacker creates a specially crafted deeplink URL. If a developer clicks that link, Claude Code spawns with the attacker’s injected settings, including a SessionStart hook that runs automatically. No further user interaction is needed.
Bypassing the Workspace Trust Dialog
Even worse, the exploit bypassed the workspace trust dialog. If the “repo” parameter in the deeplink pointed to a repository the user had already cloned and trusted (such as anthropics/claude-code itself), execution happened without any warning prompts.
Joernchen demonstrated the vulnerability by injecting a SessionStart hook via a crafted deep link on macOS. Once the target opens the link, Claude spawns as an independent agent running the attacker’s commands.
Anthropic’s Fix
Anthropic patched the vulnerability in version 2.1.118. The fix addresses the root cause: the pattern of using startsWith on the full command line array, which allowed flags to be injected into values. The patched version now parses command line flags and their arguments in full context, preventing this type of injection.
Broader Implications for AI Coding Tools
This is part of a growing pattern of security issues in AI development tools. Check Point Research previously identified three critical vulnerabilities in Claude Code related to its use of project-level configuration files, Hooks, Model Context Protocol (MCP) servers, and environment variables. Those vulnerabilities also enabled RCE and API token exfiltration.
With 81% of developers now using AI coding tools according to a CodeSignal survey, the attack surface for these tools matters. A flaw in an AI coding assistant doesn’t just compromise one developer; it can compromise every codebase that assistant touches.
Frequently Asked Questions
What is the Claude Code RCE vulnerability?
CVE-2026-39861 is a remote code execution flaw in Claude Code that let attackers inject arbitrary commands via crafted deeplinks. The vulnerability was in the eagerParseCliFlag function in version 2.1.118.
How could an attacker exploit this vulnerability?
An attacker could create a malicious claude-cli://open deeplink that, when clicked by a developer, spawns Claude Code with injected settings including a command execution hook. No further interaction is needed.
Is Claude Code safe to use now?
Anthropic has patched the vulnerability in version 2.1.118. Update Claude Code to the latest version immediately to ensure you are protected.
Which other AI coding tools have had similar vulnerabilities?
Check Point Research previously found three critical RCE vulnerabilities in Claude Code related to configuration files and MCP servers. Other AI tools like GitHub Copilot have also faced security scrutiny, though specific RCE vulnerabilities vary by tool.
