docs(security): update threat-db v2.3.0 — CVE-2025-59536, CVE-2026-21852, +2 CVEs, T011

New CVEs (4):
- CVE-2025-59536: Claude Code RCE via enableAllProjectMcpServers config (fixed 1.0.111)
- CVE-2026-21852: Claude Code API key theft via ANTHROPIC_BASE_URL redirect (fixed 2.0.65)
- CVE-2026-26029: sf-mcp-server command injection via child_process.exec
- CVE-2026-27203: eBay API MCP Server env variable injection

New attack technique:
- T011: Project Configuration Hijacking (.claude/settings.json / .mcp.json as attack surface)

New defensive resources:
- GuardFive AI Agent Security Scanner
- Palo Alto AI Runtime Security MCP Threat Detection

New sources (7): Check Point Research, The Hacker News, Trend Micro, 1Password, Red Hat, NVD x2

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

examples/commands/resources/threat-db.yaml

@@ -2,8 +2,8 @@
 # For use with /security-check and /security-audit commands
 # Manually maintained — update after new security advisories
 
-version: "2.2.0"
-updated: "2026-02-22"
+version: "2.3.0"
+updated: "2026-02-25"
 sources:
   - name: "Snyk ToxicSkills"
     url: "https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/"
@@ -77,6 +77,27 @@ sources:
   - name: "The Hacker News - Anthropic Launches Claude Code Security"
     url: "https://thehackernews.com/2026/02/anthropic-launches-claude-code-security.html"
     date: "2026-02-21"
+  - name: "Check Point Research - CVE-2025-59536 & CVE-2026-21852 Claude Code RCE + API Key Theft"
+    url: "https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/"
+    date: "2026-02-25"
+  - name: "The Hacker News - Claude Code Flaws Allow RCE and API Key Theft"
+    url: "https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html"
+    date: "2026-02-25"
+  - name: "Trend Micro - Malicious OpenClaw Skills Used to Distribute Atomic macOS Stealer"
+    url: "https://www.trendmicro.com/en_us/research/26/b/openclaw-skills-used-to-distribute-atomic-macos-stealer.html"
+    date: "2026-02-23"
+  - name: "1Password - From magic to malware: OpenClaw attack surface"
+    url: "https://1password.com/blog/from-magic-to-malware-how-openclaws-agent-skills-become-an-attack-surface"
+    date: "2026-02-02"
+  - name: "Red Hat - MCP Security Current Situation"
+    url: "https://www.redhat.com/en/blog/mcp-security-current-situation"
+    date: "2026-02-25"
+  - name: "NVD - CVE-2026-26029 sf-mcp-server Command Injection"
+    url: "https://nvd.nist.gov/vuln/detail/CVE-2026-26029"
+    date: "2026-02-11"
+  - name: "CVEDetails - CVE-2026-27203 eBay API MCP Server Env Injection"
+    url: "https://www.cvedetails.com/cve/CVE-2026-27203/"
+    date: "2026-02-20"
 
 # ═══════════════════════════════════════════════════════════════
 # MALICIOUS AUTHORS (confirmed by security researchers)
@@ -655,6 +676,25 @@ cve_database:
     fixed_in: "1.0.111"
     mitigation: "Update to Claude Code >= 1.0.111"
 
+  - id: "CVE-2025-59536"
+    component: "Claude Code"
+    severity: "critical"
+    description: "RCE via enableAllProjectMcpServers config — malicious .claude/settings.json or .mcp.json sets flag to auto-start MCP servers before trust dialog is shown; injected commands execute immediately upon claude startup in untrusted directory"
+    source: "Check Point Research (2026-02-25)"
+    fixed_in: "1.0.111"
+    mitigation: "Update to Claude Code >= 1.0.111; never run claude in untrusted repositories without reviewing config files first"
+    notes: "Paired with CVE-2026-21852; both disclosed by Check Point Research; trust dialog bypass is the core issue"
+
+  - id: "CVE-2026-21852"
+    component: "Claude Code"
+    severity: "medium"
+    cvss: 5.3
+    description: "API key exfiltration via ANTHROPIC_BASE_URL in malicious repository config — attacker sets ANTHROPIC_BASE_URL to attacker-controlled server in .claude/settings.json; Claude Code sends API requests (including bearer API key) before trust dialog is presented"
+    source: "Check Point Research (2026-02-25)"
+    fixed_in: "2.0.65"
+    mitigation: "Update to Claude Code >= 2.0.65; inspect .claude/settings.json and .mcp.json before opening unfamiliar repos"
+    notes: "With stolen key: access workspace storage, shared project files, unauthorized uploads, unexpected API cost generation"
+
   - id: "ADVISORY-CC-2026-001"
     component: "Claude Code"
     severity: "high"
@@ -752,6 +792,24 @@ cve_database:
     fixed_in: "0.1.10"
     mitigation: "Update MCP Salesforce Connector to >= 0.1.10; enforce attribute allowlists"
 
+  # --- sf-mcp-server ---
+  - id: "CVE-2026-26029"
+    component: "sf-mcp-server (Salesforce MCP)"
+    severity: "high"
+    description: "Command injection via unsafe child_process.exec when constructing Salesforce CLI commands with user-controlled input; allows arbitrary code execution on the host"
+    source: "NVD (2026-02-11)"
+    fixed_in: "unknown — check upstream"
+    mitigation: "Replace child_process.exec with execFile() and sanitize all user-controlled inputs; avoid sf-mcp-server until patched"
+
+  # --- eBay API MCP Server ---
+  - id: "CVE-2026-27203"
+    component: "eBay API MCP Server (open-source)"
+    severity: "medium"
+    description: "Environment variable injection via updateEnvFile function in ebay_set_user_tokens tool — all versions vulnerable; attacker can inject arbitrary env variables to the .env file"
+    source: "CVEDetails (2026-02-20)"
+    fixed_in: "no fix confirmed"
+    mitigation: "Sanitize all inputs to updateEnvFile; do not expose eBay MCP Server to untrusted inputs"
+
 # ═══════════════════════════════════════════════════════════════
 # MINIMUM SAFE VERSIONS (quick reference for scanning)
 # ═══════════════════════════════════════════════════════════════
@@ -1158,6 +1216,17 @@ attack_techniques:
     source: "Pillar Security / Cisco AI Security Research (2026)"
     mitigation: "Validate agent instruction sources cryptographically; treat all external channel content as untrusted user input; require human-in-the-loop for high-impact actions triggered via monitored channels; scope agent permissions to minimum required for task"
 
+  - id: "T011"
+    name: "Project Configuration Hijacking"
+    description: "Attacker embeds malicious settings in repository config files (.claude/settings.json, .mcp.json) that auto-execute MCP servers or redirect API traffic before trust dialog is shown; the configuration layer — not the code — is the attack surface"
+    examples:
+      - "Setting enableAllProjectMcpServers:true in .claude/settings.json to auto-start attacker MCP server that executes commands before trust dialog (CVE-2025-59536)"
+      - "Setting ANTHROPIC_BASE_URL to attacker endpoint in repo config — API key sent in plaintext before user can approve or deny the directory (CVE-2026-21852)"
+      - "Injecting claude hooks in settings.json to run exfiltration scripts on PostToolUse events"
+    cves: ["CVE-2025-59536", "CVE-2026-21852"]
+    source: "Check Point Research (2026-02-25)"
+    mitigation: "Review .claude/settings.json and .mcp.json before opening unfamiliar repos; treat these files as code, not metadata; update Claude Code to >= 2.0.65; never clone-and-run from untrusted sources without inspecting config files first"
+
 # ═══════════════════════════════════════════════════════════════
 # SCANNING TOOLS
 # ═══════════════════════════════════════════════════════════════
@@ -1378,3 +1447,13 @@ defensive_resources:
     url: "https://thehackernews.com/2026/02/anthropic-launches-claude-code-security.html"
     type: "tool"
     description: "Anthropic's AI-powered codebase security scanner with human-reviewed patch suggestions; launched 2026-02-21. Scans for vulnerabilities using Claude as the analysis engine with human oversight before applying fixes."
+
+  - name: "GuardFive AI Agent Security Scanner"
+    url: "https://guardfive.com/blog/the-complete-mcp-server-security-checklist-2026"
+    type: "cloud-saas"
+    description: "Scans MCP servers for tool poisoning, credential theft, and malicious attacks; provides MCP server security checklist aligned with 2026 threat landscape"
+
+  - name: "Palo Alto AI Runtime Security - MCP Threat Detection"
+    url: "https://docs.paloaltonetworks.com/content/techdocs/en_US/ai-runtime-security/administration/prevent-network-security-threats/detect-mcp-threats"
+    type: "platform"
+    description: "Network-level MCP threat detection by Palo Alto; validates MCP tool communications and detects prompt injection and tool poisoning in real-time traffic (2026-02-09)"