'Claudy Day’ Trio of Flaws Exposes Claude Users to Data Theft

VULNERABILITIES & THREATS CYBER RISK REMOTE WORKFORCE ENDPOINT SECURITY NEWS 'Claudy Day’ Trio of Flaws Exposes Claude Users to Data Theft A prompt injection vulnerability paired with other flaws can turn a Google search into a full attack chain that could threaten enterprise networks. Elizabeth Montalbano,Contributing Writer March 18, 2026 5 Min Read SOURCE: RALF LIEBHOLD VIA ALAMY STOCK PHOTO An attack chain featuring three separate flaws found in Anthropic’s Claude artificial intelligence (AI) agent could have allowed attackers to embed malicious hidden instructions in a pre-filled chat URL via a Google search, steal sensitive user data, and expose users to malicious links that appear like legitimate search results. Researchers from Oasis Security discovered the flaws, which individually were concerning on their own, according to a report published Wednesday. However, when chained together in an attack dubbed "Claudy Day," they "create a complete attack pipeline from targeted victim delivery to silent data exfiltration," according to the report by the Oasis Secrurity Research Team. The attack chain begins when a potential victim searches for Claude on Google and clicks on what appears to be a legitimate search result but is in reality a an attacker-controlled page with a pre-filled prompt containing hidden instructions, according to the team. Those instructions cause the agent to perform actions that the victim never intended, such as silently exfiltrating sensitive data, without the need for any additional tools, integrations, or model context protocol (MCP) servers. Related:Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos The trio of flaws includes an invisible prompt injection via URL parameters on Claude.ai; a data exfiltration channel via the Anthropic Files API; and an open redirect on Claude.ai, according to the report. Oasis researchers informed Claude creators Anthropic of its discovery of the attack chain through its responsible disclosure program. Anthropic has fixed the prompt injection flaw and is currently working to address the other issues, according to Oasis. How a Chained Attack Works Loading... The researchers describe how one click can set off the entire attack chain, although there is some work on the part of the attacker to create a scenario in which a user can be comprised. An attack starts with a threat actor crafting an injection URL via a claude.ai/new?q= URL with hidden exfiltration instructions, including the attacker's API key, embedded in invisible HTML tags. Then, by wrapping in the open redirect flaw in the URL using a a claude.com/redirect/<crafted-url> link, they can make the URL appear to originate from a trusted Anthropic domain.  The attacker then can create a Google Ad using the redirect URL, which results in Google validating the claude.com hostname and approving the ad that displays a trusted claude.com URL identical to the legitimate Claude result. This is when a potential victim steps into the picture by searching for Claude on Google and seeing what looks like a typical search result for the AI tool. An unsuspecting user will think they are navigating to the legitimate Claude interface and click on the link, after which they will be silently redirected from claude.com to claude.ai with a pre-filled prompt that contains hidden instructions. Related:Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical Since the victim believes they are interacting with the legitimate Claude AI assistant, they will send a prompt, but only see the benign visible portion of the prompt in the text box. When they the send the prompt, Claude processes both the visible and hidden instructions embedded by the attacker.  These instructions allow the attacker to access conversation history and extract sensitive data, according to Oasis. This occurs by Claude writing the data to a file in the sandbox and uploading it to api.anthropic.com (Files API) using the attacker's embedded API key. The attacker then lists files in their Anthropic account, finds the new upload, and reads the exfiltrated data, according to the researchers. Attack Severity Depends on Agent Access  There are levels of severity to a potential attack depending on what the agent has access to, according to Oasis. In a basic Claude chat in which the AI agent isn't integrated with any other systems or apps, the hidden injection can access conversation history and memory, extract sensitive information from past chats, and exfiltrate it via the Files API. Related:Cisco SD-WAN Zero-Day Under Exploitation for 3 Years But if the Claude session used by the victim has MCP servers, tools, or integrations enabled, the injected prompt can trigger various actions on the user's behalf, according to Oasis. This includes reading files, sending messages, accessing APIs, or interacting with connected services. Any data obtained through these activities can then be exfiltrated by attackers. "For organizations deploying AI agents with access to enterprise systems, this attack chain highlights a broader challenge: prompt integrity cannot be assumed when the delivery channel itself can be compromised," according to the research team. Making Enterprise AI Agent Use Safer Oasis' findings highlight growing concerns around prompt integrity as a critical security boundary for AI agents — especially those with access to sensitive data, enterprise tools, or historical user context. As enterprises continue to adopt AI agents into every-day employee workflow, security holes exposed by these tools become more critical to plug.   The discovery of "Claudy Day" also demonstrates insecurity in Anthropic's Claude AI agent. While Claude is considered by some security researchers to be one of the safest AI assistants currently avaiable, previous flaws have been found — and the model even was used by nation-state actors for cyberespionage.  The findings represent a call to action for organizations to continue to set up guardrails around the use of AI agents in the enterprise as they take on "greater autonomy and broader access to enterprise resources," according to the research team. One key security guideline to follow would be to restrict access for AI tools because such access amplifies prompt-injection risk, according to the report.  "When MCP servers and integrations are available from the very first interaction, with no user confirmation, a single injected prompt can immediately leverage those tools," the researchers wrote. "Requiring explicit user approval before using the tool on the first prompt would add a meaningful barrier." About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS AI Agents Fail in Novel Ways, Put Businesses at Risk by Robert Lemos, Contributing Writer MAY 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE