Security experts flag multiple issues in Claude Code, warning, 'As AI integration deepens, security controls must evolve to match the new trust boundaries'

• Check Point found three vulnerabilities in Claude Code AI coding assistant
• Flaws enabled RCE and API key theft
• Issues exploited via malicious repositories; all patched before disclosure

If you’re looking at deeply integrating AI tools into your workflows, be extra careful, as some popular AI models come with severe vulnerabilities which can turn a trusted digital assistant into a malicious insider.

Researchers from Check Point (CPR) have detailed three vulnerabilities in Claude Code which can be used to remotely execute malicious code (RCE), or steal sensitive data such as API credentials, from unsuspecting victims.

Of the three flaws, two have been labeled: CVE-2025-59536 (8.7/10), and CVE-2026-21852 (5.3/10). The third one that hasn’t been assigned a CVE yet, is a code injection vulnerability.