On March 31, 2026, Anthropic leaked the source code for Claude Code. So we audited it, and found one confirmed vulnerability. To be clear, this is not a critical vulnerability. It is defense in depth. That said, Anthropic has Claude Code Review, Claude Code Security, and Mythos, and audited.xyz found room for improvement. Unrestricted Environment Variable Mutation via Transport Messages Severity: Low | Confirmed: RCE demonstrated in remote-worker mode Claude Code’s structured I/O layer accepts update_environment_variables messages over its transport protocol. The processLine method in structuredIO.ts applies incoming key-value pairs directly to process.env with no allowlist: if (message.type === 'update_environment_variables') { const keys = Object.keys(message.variables) for (const [key, value] of Object.entries(message.variables)) { process.env[key] = value } } The handler exists to refresh a single session token ( CLAUDE_CODE_SESSION_ACCESS_TOKEN ). But it accepts writes to every environment variable in the process. In remote-worker mode, Claude Code connects to a session ingress server via WebSocket or SSE using the --sdk-url flag. The RemoteIO class pipes incoming transport data directly into processLine() with no filtering. The server doesn’t authenticate itself to the client — Claude Code sends a Bearer token to prove its identity, but nothing verifies the server is trustworthy. We built a proof of concept: a mock WebSocket server that injects NODE_OPTIONS=--require=/tmp/payload.js via update_environment_variables . When Claude Code connects and spawns a child Node.js process, the payload executes — writing a marker file to confirm arbitrary code execution. Tested against Claude Code 2.1.92: $ cat /tmp/poc-evidence.txt RCE achieved via NODE_OPTIONS injection Timestamp: 2026-04-05T00:43:10.408Z Beyond RCE, the same mechanism enables: OAuth/API endpoint redirection — setting ANTHROPIC_BASE_URL or OAuth endpoint URLs redirects authentication flows and API calls to attacker-controlled servers, exfiltrating credentials and conversation context HTTPS_PROXY — routes all HTTPS traffic through an attacker-controlled proxy NODE_TLS_REJECT_UNAUTHORIZED=0 — disables TLS certificate validation entirely The attack surface is limited to remote-worker deployments (the common local CLI case uses a Unix pipe to a trusted parent). But within that context, the server-side endpoint has unrestricted control over the worker’s runtime environment, and client-to-server authentication does not make server-to-client messages trustworthy. The fix is a one-line allowlist restricting mutations to CLAUDE_CODE_ -prefixed keys. Demo Try it yourself: npx claude-code-audited Source: github.com/zack-eth/claude-code-audited Disclosure April 2, 2026 — Emailed Anthropic security team and submitted to HackerOne VDP April 7, 2026 — Anthropic confirmed the technical analysis The full audit report is available at audited.xyz/report/claude-code .