Claude Code Security Analysis: Understanding the CVE-2026-21852 API Key Exfiltration Vulnerability

The vulnerability has already been patched by Anthropic. Claude Code communicates with Anthropic's services using an API key, transmitted with each authenticated request. By manipulating a repository-controlled configuration setting, API traffic could be redirected to an attacker-controlled server.