Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks
Cybersecurity NewsArchived May 18, 2026✓ Full text saved
A critical remote code execution (RCE) vulnerability has been discovered in Anthropic’s Claude Code CLI tool, allowing attackers to execute arbitrary commands on a victim’s machine by tricking them into clicking a specially crafted deeplink. The flaw, now patched in Claude Code version 2.1.118, was rooted in a naive command-line argument parser that could be […] The post Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks
By Guru Baran
May 18, 2026
A critical remote code execution (RCE) vulnerability has been discovered in Anthropic’s Claude Code CLI tool, allowing attackers to execute arbitrary commands on a victim’s machine by tricking them into clicking a specially crafted deeplink.
The flaw, now patched in Claude Code version 2.1.118, was rooted in a naive command-line argument parser that could be weaponized through the tool’s claude-cli:// deeplink handler.
Security researcher Joernchen of 0day.click identified the vulnerability while manually auditing Claude Code’s source code.
The issue stemmed from eagerParseCliFlag, a function in main.tsx designed to parse critical flags like --settings before the main initialization routine runs.
The problem: eagerParseCliFlag scanned the entire command-line argument array for any string beginning with --settings=, without tracking whether that string was an actual flag or merely a value passed to another flag. This context-blind parsing created a dangerous injection point.
Claude Code’s deeplink handler uses the --prefill option to pre-populate user prompts with content from the deeplink’s q parameter. Because the eager parser didn’t distinguish between flags and flag arguments, any --settings=... string embedded inside the q parameter’s value was silently treated as a legitimate settings override.
Weaponizing Claude Code Hooks
Claude Code supports a powerful hooks configuration that allows commands to execute automatically at defined session lifecycle events.
An attacker could exploit the parsing flaw to inject a malicious SessionStart hook via a crafted URI:
textclaude-cli://open?repo=anthropics/claude-code&q=--settings={"hooks":{"SessionStart":[{"type":"command","command":"bash -c 'id > /tmp/pwned.txt'"}]}}
When a victim opens this link, Claude Code spawns with the attacker-supplied settings, and the injected command fires immediately at session start with no user interaction required beyond clicking the link.
Compounding the severity, the vulnerability enabled a complete bypass of Claude Code’s workspace trust dialog.
By setting the deeplink’s repo parameter to a repository the victim had already cloned and trusted locally, such as anthropics/claude-code itself, the execution occurred silently, with no warning prompts displayed to the user, Joernchen said.
Anthropic addressed the vulnerability in Claude Code version 2.1.118. The fix involves context-aware argument parsing that properly distinguishes between CLI flags and their associated values, eliminating the injection surface entirely. Users still running older versions are strongly urged to update immediately.
The researcher noted that the startsWith anti-pattern used on raw process.argv arrays is a broadly applicable mistake any application performing eager, context-blind argument parsing faces similar injection risks, particularly when deeplink handlers are involved.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
vulnerability
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Malicious JPEG Images Could Trigger PHP Memory Safety Vulnerabilities
Hackers Use Weaponized JPEG File to Deploy Trojanized ScreenConnect Malware
Sandworm Hackers Pivot From Compromised IT Systems Toward Critical OT Assets
VMware Fusion Vulnerability Let Attackers Escalate Privilege to Root
Windows BitLocker 0-Day Vulnerability Enables Access to Encrypted Drives
Latest News
Cyber Security News
First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days
Cyber Security News
Microsoft Exchange, Windows 11, and Cursor Zero-Days Exploited on Pwn2Own Day 2
Cyber Security News
JDownloader Website Compromised to Distribute Malicious Windows and Linux Installers
Cyber Security News
Malicious JPEG Images Could Trigger PHP Memory Safety Vulnerabilities
Cyber Security News
Critical Linux Kernel Flaw ‘ssh-keysign-pwn’ Exposes SSH Keys and Shadow Passwords