PERMISSION/PROTOCOL
Back to incident tracker

2026-05-12

CriticalPrimary

Claude Code RCE — malicious deeplink injects SessionStart hook, executes arbitrary commands on victim machine with no additional interaction

Critical RCE in Claude Code CLI (patched v2.1.118): a crafted claude-cli:// deeplink injects a malicious SessionStart hook, executing arbitrary commands with no user interaction beyond clicking.

Claude CodeTool execution / MCPRemote code execution via malicious deeplink / session hook injectionClaude Code CLI on developer workstations — any machine where a user clicks an attacker-crafted claude-cli:// link

What happened

Crafted claude-cli:// deeplink injects a malicious SessionStart hook via context-blind CLI argument parsing, executing arbitrary OS commands on victim click.

Why it matters

Arbitrary command execution on developer workstations — full local code execution, potential credential theft, lateral movement from developer machines to production systems.

Missing authorization check

Session initialization hooks and settings overrides should require a signed authority receipt from an external channel, not be injectable via a URL parameter.

Would PP block it?

The attack delivers RCE at the OS level before any PP enforcement hook runs. However, if the attacker's goal is to use the compromised Claude Code session to perform privileged actions (deploy, commit to main, access production), PP gates those actions externally. The exploit delivers a foothold; PP limits what that foothold can authorize downstream.

Incident analysis

Timeline and technical read

Timeline

  1. 2026-05-12

    Researcher Joernchen of 0day.click discovers RCE via context-blind eagerParseCliFlag in Claude Code main.tsx.

  2. 2026-05-12

    Anthropic patches vulnerability in Claude Code v2.1.118 with context-aware argument parsing.

  3. 2026-05-19

    CybersecurityNews publishes full technical breakdown; vulnerability enters public signal scan.

Technical breakdown

  • eagerParseCliFlag in main.tsx scanned the entire process.argv array for any string starting with --settings= without tracking argument context, creating an injection surface.
  • Claude Code's --prefill deeplink option pre-populates prompts with the q parameter value; a --settings=... string embedded in q was treated as a real settings override.
  • A malicious SessionStart hook in the injected settings executes arbitrary OS commands immediately at session start — before any user prompt is displayed.
  • Workspace trust dialog bypass: pointing the repo parameter at a locally-trusted repository (e.g., anthropics/claude-code) silences all warning prompts.
  • The startsWith anti-pattern on raw process.argv is a broadly applicable mistake — any CLI tool performing eager, context-blind argument parsing with a deeplink handler faces the same risk.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at
Agent action authorization gate / post-session-start tool-call receipts
Still needs
Initial RCE delivery via deeplink is a CLI/OS-level vulnerability outside PP enforcement scope; PP applies after session initialization
Receipt required for
Any privileged action (deploy, production access, credential use) initiated from a Claude Code session

PP's external authorization receipts break the downstream blast radius: agent actions resulting from the compromised session (deploys, API calls, credential access) still require signed receipts from outside the CLI process. The initial RCE on the workstation is below PP's hook points.

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop