CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 18, 2026

Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks

Cybersecurity News Archived May 18, 2026 ✓ Full text saved

A critical remote code execution (RCE) vulnerability has been discovered in Anthropic’s Claude Code CLI tool, allowing attackers to execute arbitrary commands on a victim’s machine by tricking them into clicking a specially crafted deeplink. The flaw, now patched in Claude Code version 2.1.118, was rooted in a naive command-line argument parser that could be […] The post Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks By Guru Baran May 18, 2026 A critical remote code execution (RCE) vulnerability has been discovered in Anthropic’s Claude Code CLI tool, allowing attackers to execute arbitrary commands on a victim’s machine by tricking them into clicking a specially crafted deeplink. The flaw, now patched in Claude Code version 2.1.118, was rooted in a naive command-line argument parser that could be weaponized through the tool’s claude-cli:// deeplink handler. Security researcher Joernchen of 0day.click identified the vulnerability while manually auditing Claude Code’s source code. The issue stemmed from eagerParseCliFlag, a function in main.tsx designed to parse critical flags like --settings before the main initialization routine runs. The problem: eagerParseCliFlag scanned the entire command-line argument array for any string beginning with --settings=, without tracking whether that string was an actual flag or merely a value passed to another flag. This context-blind parsing created a dangerous injection point. Claude Code’s deeplink handler uses the --prefill option to pre-populate user prompts with content from the deeplink’s q parameter. Because the eager parser didn’t distinguish between flags and flag arguments, any --settings=... string embedded inside the q parameter’s value was silently treated as a legitimate settings override. Weaponizing Claude Code Hooks Claude Code supports a powerful hooks configuration that allows commands to execute automatically at defined session lifecycle events. An attacker could exploit the parsing flaw to inject a malicious SessionStart hook via a crafted URI: textclaude-cli://open?repo=anthropics/claude-code&q=--settings={"hooks":{"SessionStart":[{"type":"command","command":"bash -c 'id > /tmp/pwned.txt'"}]}} When a victim opens this link, Claude Code spawns with the attacker-supplied settings, and the injected command fires immediately at session start with no user interaction required beyond clicking the link. Compounding the severity, the vulnerability enabled a complete bypass of Claude Code’s workspace trust dialog. By setting the deeplink’s repo parameter to a repository the victim had already cloned and trusted locally, such as anthropics/claude-code itself, the execution occurred silently, with no warning prompts displayed to the user, Joernchen said. Anthropic addressed the vulnerability in Claude Code version 2.1.118. The fix involves context-aware argument parsing that properly distinguishes between CLI flags and their associated values, eliminating the injection surface entirely. Users still running older versions are strongly urged to update immediately. The researcher noted that the startsWith anti-pattern used on raw process.argv arrays is a broadly applicable mistake any application performing eager, context-blind argument parsing faces similar injection risks, particularly when deeplink handlers are involved. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Malicious JPEG Images Could Trigger PHP Memory Safety Vulnerabilities Hackers Use Weaponized JPEG File to Deploy Trojanized ScreenConnect Malware Sandworm Hackers Pivot From Compromised IT Systems Toward Critical OT Assets VMware Fusion Vulnerability Let Attackers Escalate Privilege to Root Windows BitLocker 0-Day Vulnerability Enables Access to Encrypted Drives Latest News Cyber Security News First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days Cyber Security News Microsoft Exchange, Windows 11, and Cursor Zero-Days Exploited on Pwn2Own Day 2 Cyber Security News JDownloader Website Compromised to Distribute Malicious Windows and Linux Installers Cyber Security News Malicious JPEG Images Could Trigger PHP Memory Safety Vulnerabilities Cyber Security News Critical Linux Kernel Flaw ‘ssh-keysign-pwn’ Exposes SSH Keys and Shadow Passwords
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 18, 2026
    Archived
    May 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗