Anthropic Patches Critical Claude Code Flaw: Command-Parser Bug Exposed SSH Keys in CI/CD Pipelines
April 6, 2026 · 7 min read · Happycapy Guide
Anthropic released Claude Code v2.1.90 on April 6, 2026 to patch a critical command-parser bug. Attackers could bypass custom deny rules by injecting a hidden 51st subcommand past the hard-coded limit, enabling exfiltration of SSH keys and API tokens in CI/CD environments. Update immediately. Teams running Claude Code in automated pipelines are the primary risk group.
npm install -g @anthropic-ai/claude-code@latest and confirm claude --version returns v2.1.90 or higher.What Was the Vulnerability?
Security researchers discovered a command-parser flaw in Claude Code that silently ignored developer-configured deny rules under a specific condition. Claude Code allows teams to define a blocklist of subcommands that the agent is not permitted to execute — a key security control for teams running the agent autonomously in CI/CD pipelines.
The bug: Claude Code parsed the first 50 subcommands in a request and enforced deny rules against them — but silently ignored any subcommand at position 51 or beyond. An attacker who could influence the tool call (via prompt injection in a repository, PR description, or issue comment) could hide a malicious subcommand in position 51, bypassing all configured deny rules.
The result: arbitrary command execution in the CI environment, with access to SSH keys, API tokens, environment variables, and secrets stored in the pipeline.
Who Is Affected
| Environment | Risk Level | Why |
|---|---|---|
| CI/CD pipelines (GitHub Actions, GitLab CI, CircleCI) | Critical | Automated execution, unattended, secrets in environment |
| Self-hosted Claude Code agents with deny rules | High | Deny rules are the primary control layer; they are bypassed |
| Developer machines — interactive, no deny rules | Low | Human in the loop; no automated secrets exposure |
| Developer machines — with deny rules configured | Medium | Deny rules bypassed on malicious inputs |
| Happycapy platform | Not affected | Sandboxed infrastructure; no raw Claude Code CI exposure |
Technical Details: How the Bypass Worked
Claude Code's deny rule enforcement operated on a bounded slice of the parsed subcommand list. The parser capped its evaluation window at 50 subcommands — a limit that went undocumented and untested for edge cases. A well-crafted tool call payload with 50 benign subcommands followed by one malicious subcommand in position 51 would:
- Pass the deny rule check (which only scanned positions 1–50)
- Execute the malicious 51st subcommand with the agent's full permissions
- Return no error or warning to the developer or CI log
The attack vector most relevant to production environments: prompt injection via repository content. A malicious actor who can add a README, PR description, commit message, or issue comment containing a crafted payload could trigger the bypass any time Claude Code reads that content in an automated pipeline.
What the Patch Does
Claude Code v2.1.90 removes the 50-subcommand cap and enforces deny rules across the full subcommand list, regardless of length. Anthropic also added a test suite specifically covering edge cases at and beyond the old limit. The release notes describe the fix as restoring "proper deny-rule enforcement to mitigate unauthorized subcommand execution."
The patch also includes additional hardening in the v2.1.90 release: stronger policy controls, improved cost insight dashboards, and a Bedrock setup wizard for enterprise teams. The Bedrock wizard is unrelated to the security fix but ships in the same version.
How to Update
Three steps:
- Update the package:
npm install -g @anthropic-ai/claude-code@latest(global install) ornpm update @anthropic-ai/claude-code(project dependency) - Verify the version:
claude --version— must return v2.1.90 or higher - Update CI pin if applicable: If you pin exact versions in CI configuration, update the pinned version explicitly. Semver ranges that include patch bumps will auto-update on next run.
After updating, review your CI logs for any anomalous subcommand sequences executed before April 6, 2026. Rotate SSH keys and API tokens accessible in affected CI environments as a precaution if your pipeline ran Claude Code autonomously with deny rules configured.
Context: Agentic AI Vulnerabilities Are Accelerating
This is not an isolated incident. As agentic AI tools gain access to real-world infrastructure — codebases, CI pipelines, cloud credentials, and production environments — they have become high-value targets for supply chain and prompt injection attacks.
| Incident | Date | Impact |
|---|---|---|
| LiteLLM supply chain attack (teampcp/mercor) | March 2026 | Malicious npm package exfiltrated API keys |
| Axios npm package RAT injection | March 2026 | Remote access trojan in 800K+ weekly downloads |
| Claude Code v2.1.90 command-parser bypass | April 6, 2026 (patched) | CI deny rules bypassed; SSH keys at risk |
| OWASP Agentic AI Top 10 published | April 2026 | Formal security taxonomy for agentic AI |
The pattern: agentic AI tools with file-system and shell access are operated in high-trust environments (CI pipelines, developer machines with cloud credentials) while the security model around them is still maturing. Deny rules are a good first-order control — but as this vulnerability demonstrates, they require rigorous implementation and adversarial testing.
Frequently Asked Questions
What is the Claude Code v2.1.90 vulnerability?
A command-parser bug in Claude Code allowed attackers to bypass developer-configured deny rules by hiding a malicious 51st subcommand past the tool's hard-coded 50-subcommand limit. This enabled unauthorized command execution, putting SSH keys, API tokens, and environment variables at risk in CI/CD pipelines.
Who is most at risk from this vulnerability?
Teams running Claude Code in automated CI/CD environments — GitHub Actions, GitLab CI, CircleCI, Jenkins — with custom deny rules configured. If Claude Code reads any user-controlled content (PR descriptions, issue comments, README files) during an automated run, the attack surface exists. Interactive local use with no deny rules is low-risk.
How do I update Claude Code to the patched version?
Run 'npm install -g @anthropic-ai/claude-code@latest' or 'npm update @anthropic-ai/claude-code' in your project. Verify with 'claude --version' — confirm v2.1.90 or higher. If you pin dependencies in CI, update the pinned version explicitly.
Is Happycapy affected by the Claude Code vulnerability?
Happycapy runs on its own sandboxed infrastructure and does not expose raw Claude Code command execution to external CI pipelines. The Happycapy platform is not affected by this vulnerability.
Sources: Let's Data Science — Anthropic Patches Claude Code Bypass · The AI Insider — Claude Code v2.1.90 Release · Releasebot — Anthropic Release Notes April 2026 · Happycapy — AI Platform