Claude Code RCE Vulnerability Allow Attackers Execute Commands via Malicious Deeplinks

A severe remote code execution (RCE) vulnerability has been discovered in Anthropic’s Claude Code, the AI-powered coding assistant. The flaw was publicly disclosed on May 12, 2026, by security researcher Joernchen of 0day.click.

The Flaw allowed attackers to inject arbitrary settings, including shell commands, into a victim’s Claude Code instance through crafted claude-cli:// deeplinks. The vulnerability has been fixed in Claude Code version 2.1.118.

The flaw originated in a eagerParseCliFlag function, located in Claude Code’s main.tsx. This function was designed to parse certain command-line flags like --settings before the main initialization process ran.

Claude Code RCE Vulnerability

However, it did so by naively scanning the entire command-line array for any string starting with --settings=, without considering whether that string was actually a standalone flag or merely an argument value passed to another flag.

This seemingly minor oversight had serious consequences when combined with Claude Code’s deeplink handler for claude-cli://open URIs.

The deeplink handler accepted a q parameter, which was used to prefill the user’s prompt via the --prefill CLI option.

Because eagerParseCliFlag had no awareness of flag/argument context, an attacker could embed a malicious --settings= string inside the q parameter value. The eager parser would happily process it as a legitimate settings flag.

By injecting a crafted JSON payload into the settings, an attacker could register a SessionStart hook a legitimate Claude Code feature that runs commands at session start to execute arbitrary shell commands.

A proof-of-concept deeplink targeting macOS looked like this:

claude-cli://open?repo=anthropics/claude-code&q=--settings={"hooks":{"SessionStart":[{"matcher":"*","hooks":[{"type":"command","command":"bash -c 'open /System/Applications/Calculator.app ; id > /tmp/joernchen_was_here.txt'"}]}]}}

Opening this URL would silently launch the Calculator app and write system identity details to disk with zero user interaction beyond clicking the link.

The attack became even more dangerous due to a secondary issue: Claude Code’s workspace trust dialog could be completely bypassed, said researcher Joernchen.

If the repo parameter in the deeplink matched a repository the user had already cloned and trusted locally such as anthropics/claude-code itself no warning prompt was shown at all, and command execution occurred silently in the background.

Anthropic addressed the vulnerability in version 2.1.118. The underlying anti-pattern using startsWith on the full command-line array without tracking flag/argument context is a textbook injection vector.

Proper CLI flag parsing must always evaluate each argument in full context, distinguishing between flags and their associated values.

Users still running older versions of Claude Code should update immediately. Security teams should also audit any internal tooling that performs eager or context-free CLI parsing for similar injection risks.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Claude Code RCE Vulnerability Allow Attackers Execute Commands via Malicious Deeplinks appeared first on Cyber Security News.