PERMISSION/PROTOCOL
Back to incident tracker

2026-05-27

HighPrimary

Oasis Security chains three Claude.ai vulnerabilities into silent data exfiltration — no integrations required

Oasis Security chained three Claude.ai flaws — URL parameter injection, Files API exfiltration, and an open redirect — to silently steal conversation history.

Claude.ai (Anthropic)Tool execution / MCPChained prompt injection and Files API data exfiltrationClaude.ai consumer app / claude.com platform (no integrations required)

What happened

Attacker-controlled HTML tags hidden in a URL parameter pre-filled a Claude.ai prompt with invisible instructions. Claude searched conversation history for sensitive data, wrote it to a file, and uploaded it to the attacker's Anthropic account via the Files API — all silently on user submit.

Why it matters

Full conversation history exfiltration from targeted Claude.ai sessions, including business strategy, health data, financial details, and personal information. In MCP-enabled enterprise deployments, blast radius expands to file reads, message sends, and API calls across all connected services.

Missing authorization check

A gate requiring explicit user confirmation before Claude invokes the Files API with externally-supplied credentials or performs bulk access of conversation history — distinguishing attacker-injected tool use from user-intended actions.

Would PP block it?

For a base claude.ai session, PP cannot intercept Files API uploads made within Anthropic's own code execution sandbox — the channel is internal to the Anthropic runtime, not a surfaced MCP tool call. However, in enterprise deployments with MCP servers or external integrations, PP's Tool-Call Gate would require signed receipts before the injected prompt could use any connected service — limiting blast radius to the model's built-in capabilities alone. PP's architecture (external authority over tool execution) would need to be integrated at the Anthropic platform layer to fully close this class of vulnerability for consumer deployments.

Incident analysis

Timeline and technical read

Timeline

  1. Pre-2026-05-27

    Oasis Security responsibly disclosed all three vulnerabilities to Anthropic through the Responsible Disclosure Program before publication.

  2. 2026-05-27

    Anthropic fixes the prompt injection (URL parameter injection); remaining vulnerabilities under active remediation.

  3. 2026-05-27

    Oasis Security publishes 'Claudy Day' blog post and full technical report detailing the three-stage attack chain.

  4. 2026-05-27

    Disclosure confirms the attack required no integrations, no MCP servers, no enterprise configuration — only a default claude.ai account.

Technical breakdown

  • Invisible injection vector: claude.ai accepts pre-filled prompts via the ?q= URL parameter; certain HTML tags embedded in this parameter are invisible in the chat input but fully processed by Claude on submission, allowing an attacker who controls any URL a user clicks to inject arbitrary instructions.
  • Exfiltration channel bypass: Claude's code execution sandbox blocks general outbound network access but permits connections to api.anthropic.com; attacker embeds their own Anthropic API key in the injected prompt to direct Claude to upload stolen conversation data to the attacker's account via the Files API.
  • Precision delivery via trusted domain: an open redirect at claude.com/redirect/<target> (since fixed) combined with Google Ads Customer Match allowed an attacker to place a search ad displaying a trusted claude.com URL that silently redirected victims to the injection payload — bypassing phishing indicators.
  • Zero-integration requirement: the full attack chain operates on a out-of-the-box claude.ai session — no MCP servers, tools, or enterprise configuration needed, making it exploitable against the entire Claude.ai user base.
  • Expandable blast radius: in any claude.ai session with MCP servers or tool integrations enabled, the injected prompt can read files, send messages, and call connected APIs silently before the user can intervene.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at
External MCP tool calls and integration actions in enterprise deployments
Still needs
Native Anthropic Files API usage within the code execution sandbox; internal platform capabilities that do not surface as MCP tool invocations; consumer claude.ai deployments without enterprise PP integration
Receipt required for
Any Files API upload initiated by the agent; any bulk conversation history access or summarization; any tool call using externally-supplied credentials

PP's Tool-Call Gate enforces at enterprise tool boundaries. The Files API exfiltration routes through Anthropic's internal infrastructure, not an external MCP tool PP intercepts. PP substantially limits blast radius in MCP/integration-enabled deployments by requiring receipts before injected prompts can use connected services.

Related incidents and controls

High2025-10-08

CamoLeak: GitHub Copilot Flaw Allowed Silent Data Theft

High2026-04-15

Johns Hopkins researchers steal API keys from Claude Code, Gemini CLI, and GitHub Copilot via PR title prompt injection — all three vendors paid bug bounties quietly

High2026-05-08

Claude Code OAuth tokens stolen via stealthy MCP man-in-the-middle hijacking

Critical2026-05-04

Braintrust AWS breach exposes org-level AI provider API keys for all customers — OpenAI, Anthropic, Google credentials at risk

Tool-Call Gate Why governance must be external

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop