From ad735dfff4277431c90a538db54b4d573f6e1eb0 Mon Sep 17 00:00:00 2001 From: Florian BRUNIAUX Date: Wed, 25 Feb 2026 18:59:03 +0100 Subject: [PATCH] =?UTF-8?q?docs(security):=20update=20threat-db=20v2.3.0?= =?UTF-8?q?=20=E2=80=94=20CVE-2025-59536,=20CVE-2026-21852,=20+2=20CVEs,?= =?UTF-8?q?=20T011?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit New CVEs (4): - CVE-2025-59536: Claude Code RCE via enableAllProjectMcpServers config (fixed 1.0.111) - CVE-2026-21852: Claude Code API key theft via ANTHROPIC_BASE_URL redirect (fixed 2.0.65) - CVE-2026-26029: sf-mcp-server command injection via child_process.exec - CVE-2026-27203: eBay API MCP Server env variable injection New attack technique: - T011: Project Configuration Hijacking (.claude/settings.json / .mcp.json as attack surface) New defensive resources: - GuardFive AI Agent Security Scanner - Palo Alto AI Runtime Security MCP Threat Detection New sources (7): Check Point Research, The Hacker News, Trend Micro, 1Password, Red Hat, NVD x2 Co-Authored-By: Claude Sonnet 4.6 --- examples/commands/resources/threat-db.yaml | 83 +++++++++++++++++++++- 1 file changed, 81 insertions(+), 2 deletions(-) diff --git a/examples/commands/resources/threat-db.yaml b/examples/commands/resources/threat-db.yaml index a77c7c5..7c3c208 100644 --- a/examples/commands/resources/threat-db.yaml +++ b/examples/commands/resources/threat-db.yaml @@ -2,8 +2,8 @@ # For use with /security-check and /security-audit commands # Manually maintained — update after new security advisories -version: "2.2.0" -updated: "2026-02-22" +version: "2.3.0" +updated: "2026-02-25" sources: - name: "Snyk ToxicSkills" url: "https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/" @@ -77,6 +77,27 @@ sources: - name: "The Hacker News - Anthropic Launches Claude Code Security" url: "https://thehackernews.com/2026/02/anthropic-launches-claude-code-security.html" date: "2026-02-21" + - name: "Check Point Research - CVE-2025-59536 & CVE-2026-21852 Claude Code RCE + API Key Theft" + url: "https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/" + date: "2026-02-25" + - name: "The Hacker News - Claude Code Flaws Allow RCE and API Key Theft" + url: "https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html" + date: "2026-02-25" + - name: "Trend Micro - Malicious OpenClaw Skills Used to Distribute Atomic macOS Stealer" + url: "https://www.trendmicro.com/en_us/research/26/b/openclaw-skills-used-to-distribute-atomic-macos-stealer.html" + date: "2026-02-23" + - name: "1Password - From magic to malware: OpenClaw attack surface" + url: "https://1password.com/blog/from-magic-to-malware-how-openclaws-agent-skills-become-an-attack-surface" + date: "2026-02-02" + - name: "Red Hat - MCP Security Current Situation" + url: "https://www.redhat.com/en/blog/mcp-security-current-situation" + date: "2026-02-25" + - name: "NVD - CVE-2026-26029 sf-mcp-server Command Injection" + url: "https://nvd.nist.gov/vuln/detail/CVE-2026-26029" + date: "2026-02-11" + - name: "CVEDetails - CVE-2026-27203 eBay API MCP Server Env Injection" + url: "https://www.cvedetails.com/cve/CVE-2026-27203/" + date: "2026-02-20" # ═══════════════════════════════════════════════════════════════ # MALICIOUS AUTHORS (confirmed by security researchers) @@ -655,6 +676,25 @@ cve_database: fixed_in: "1.0.111" mitigation: "Update to Claude Code >= 1.0.111" + - id: "CVE-2025-59536" + component: "Claude Code" + severity: "critical" + description: "RCE via enableAllProjectMcpServers config — malicious .claude/settings.json or .mcp.json sets flag to auto-start MCP servers before trust dialog is shown; injected commands execute immediately upon claude startup in untrusted directory" + source: "Check Point Research (2026-02-25)" + fixed_in: "1.0.111" + mitigation: "Update to Claude Code >= 1.0.111; never run claude in untrusted repositories without reviewing config files first" + notes: "Paired with CVE-2026-21852; both disclosed by Check Point Research; trust dialog bypass is the core issue" + + - id: "CVE-2026-21852" + component: "Claude Code" + severity: "medium" + cvss: 5.3 + description: "API key exfiltration via ANTHROPIC_BASE_URL in malicious repository config — attacker sets ANTHROPIC_BASE_URL to attacker-controlled server in .claude/settings.json; Claude Code sends API requests (including bearer API key) before trust dialog is presented" + source: "Check Point Research (2026-02-25)" + fixed_in: "2.0.65" + mitigation: "Update to Claude Code >= 2.0.65; inspect .claude/settings.json and .mcp.json before opening unfamiliar repos" + notes: "With stolen key: access workspace storage, shared project files, unauthorized uploads, unexpected API cost generation" + - id: "ADVISORY-CC-2026-001" component: "Claude Code" severity: "high" @@ -752,6 +792,24 @@ cve_database: fixed_in: "0.1.10" mitigation: "Update MCP Salesforce Connector to >= 0.1.10; enforce attribute allowlists" + # --- sf-mcp-server --- + - id: "CVE-2026-26029" + component: "sf-mcp-server (Salesforce MCP)" + severity: "high" + description: "Command injection via unsafe child_process.exec when constructing Salesforce CLI commands with user-controlled input; allows arbitrary code execution on the host" + source: "NVD (2026-02-11)" + fixed_in: "unknown — check upstream" + mitigation: "Replace child_process.exec with execFile() and sanitize all user-controlled inputs; avoid sf-mcp-server until patched" + + # --- eBay API MCP Server --- + - id: "CVE-2026-27203" + component: "eBay API MCP Server (open-source)" + severity: "medium" + description: "Environment variable injection via updateEnvFile function in ebay_set_user_tokens tool — all versions vulnerable; attacker can inject arbitrary env variables to the .env file" + source: "CVEDetails (2026-02-20)" + fixed_in: "no fix confirmed" + mitigation: "Sanitize all inputs to updateEnvFile; do not expose eBay MCP Server to untrusted inputs" + # ═══════════════════════════════════════════════════════════════ # MINIMUM SAFE VERSIONS (quick reference for scanning) # ═══════════════════════════════════════════════════════════════ @@ -1158,6 +1216,17 @@ attack_techniques: source: "Pillar Security / Cisco AI Security Research (2026)" mitigation: "Validate agent instruction sources cryptographically; treat all external channel content as untrusted user input; require human-in-the-loop for high-impact actions triggered via monitored channels; scope agent permissions to minimum required for task" + - id: "T011" + name: "Project Configuration Hijacking" + description: "Attacker embeds malicious settings in repository config files (.claude/settings.json, .mcp.json) that auto-execute MCP servers or redirect API traffic before trust dialog is shown; the configuration layer — not the code — is the attack surface" + examples: + - "Setting enableAllProjectMcpServers:true in .claude/settings.json to auto-start attacker MCP server that executes commands before trust dialog (CVE-2025-59536)" + - "Setting ANTHROPIC_BASE_URL to attacker endpoint in repo config — API key sent in plaintext before user can approve or deny the directory (CVE-2026-21852)" + - "Injecting claude hooks in settings.json to run exfiltration scripts on PostToolUse events" + cves: ["CVE-2025-59536", "CVE-2026-21852"] + source: "Check Point Research (2026-02-25)" + mitigation: "Review .claude/settings.json and .mcp.json before opening unfamiliar repos; treat these files as code, not metadata; update Claude Code to >= 2.0.65; never clone-and-run from untrusted sources without inspecting config files first" + # ═══════════════════════════════════════════════════════════════ # SCANNING TOOLS # ═══════════════════════════════════════════════════════════════ @@ -1378,3 +1447,13 @@ defensive_resources: url: "https://thehackernews.com/2026/02/anthropic-launches-claude-code-security.html" type: "tool" description: "Anthropic's AI-powered codebase security scanner with human-reviewed patch suggestions; launched 2026-02-21. Scans for vulnerabilities using Claude as the analysis engine with human oversight before applying fixes." + + - name: "GuardFive AI Agent Security Scanner" + url: "https://guardfive.com/blog/the-complete-mcp-server-security-checklist-2026" + type: "cloud-saas" + description: "Scans MCP servers for tool poisoning, credential theft, and malicious attacks; provides MCP server security checklist aligned with 2026 threat landscape" + + - name: "Palo Alto AI Runtime Security - MCP Threat Detection" + url: "https://docs.paloaltonetworks.com/content/techdocs/en_US/ai-runtime-security/administration/prevent-network-security-threats/detect-mcp-threats" + type: "platform" + description: "Network-level MCP threat detection by Palo Alto; validates MCP tool communications and detects prompt injection and tool poisoning in real-time traffic (2026-02-09)"