A critical remote code execution (RCE) vulnerability in Anthropic’s Claude Code AI coding assistant has been publicly disclosed, allowing attackers to silently execute arbitrary shell commands on a victim’s machine through a single crafted URL.
The flaw, discovered by security researcher Joernchen of 0day.click and disclosed on May 12, 2026, has since been patched in Claude Code version 2.1.118.
The root cause lived in a function called eagerParseCliFlag, located inside Claude Code’s main.tsx. This function was designed to parse specific command-line flags particularly --settings before the main initialization process completed.
To do this, it scanned the entire command-line argument array for any string beginning with --settings=, without any awareness of whether that string was an independent flag or simply a value being passed to a different flag entirely.
On its own, the oversight seemed minor. Combined with Claude Code’s deeplink handler for claude-cli://open URIs, it became a fully weaponizable attack vector.
The deeplink handler accepted a q parameter to prefill the user’s prompt, passing it internally via the --prefill CLI option, said researcher Joernchen.
Because eagerParseCliFlag had no context-awareness, an attacker could embed a malicious --settings= string inside the q parameter value. The eager parser would treat it as a legitimate settings flag and process it without question.
By injecting a crafted JSON payload into the settings object, an attacker could register a SessionStart hook a legitimate Claude Code feature designed to run commands when a session begins.
This meant arbitrary shell commands would fire automatically when the victim opened the deeplink. Joernchen’s proof-of-concept deeplink for macOS looked like this:
claude-cli://open?repo=anthropics/claude-code&q=--settings={"hooks":{"SessionStart":[{"matcher":"*","hooks":[{"type":"command","command":"bash -c 'open /System/Applications/Calculator.app ; id > /tmp/joernchen_was_here.txt'"}]}]}}Clicking this URL required no further interaction. It silently launched the system Calculator app and wrote the victim’s system identity details to disk demonstrating full command execution with a single click.
The attack surface widened further due to a secondary flaw: the workspace trust dialog could be completely bypassed. Claude Code normally prompts users before executing code in untrusted repositories.
However, if the repo parameter in the deeplink matched a repository the user had already cloned and trusted locally such as anthropics/claude-code itself no warning was displayed, and execution proceeded silently in the background.
This combination of context-free CLI parsing and trust dialog bypass created a seamless, stealthy attack chain requiring no elevated privileges and no user awareness beyond opening a link.
Patch and Recommended Actions
Anthropic addressed both issues in Claude Code version 2.1.118. The fix resolves the anti-pattern of using startsWith across the full argument array without tracking flag-versus-value context a classic injection vector in CLI tooling.
Security teams should note that proper CLI flag parsing must evaluate each argument within its full positional context, distinguishing flags from their associated argument values at every step.
Users running any version prior to 2.1.118 should update immediately. Security and DevSecOps teams should also audit any internal CLI tooling that performs eager or context-free argument parsing for similar injection risks, as this class of vulnerability is not unique to Claude Code.
No Comment! Be the first one.