Dateline: March 31, 2026
Why Claude Code Trusts the Wrong Things (And What That Costs You)
Claude Code, Anthropic’s widely used coding assistant, has a serious gap in its defenses — and a security researcher just put the numbers on paper.
Introduction
When a tool has access to your files, your terminal, and your codebase, you want its safety guardrails to actually hold. But a new research paper published in March 2026 suggests that for Claude Code, those guardrails are far more porous than most users realize. The method? It doesn’t involve exotic hacking techniques. It works by doing something much simpler — changing what the tool believes it’s supposed to do.
What Happened?
Security researcher Cassius Oldenburg — who previously placed first among 40,000+ participants in the HackAPrompt 2.0 competition — published a paper titled “Context Is Everything: Trusted Channel Injection in Claude Code.”
The core finding: by replacing or overriding Claude Code’s system prompt through what he calls a “trusted channel,” an attacker can cause the tool to abandon its built-in behavioral instructions. In plain terms, Claude Code’s safety rules are delivered to it at the start of every session through a specific channel it inherently trusts. If someone can write content into that channel, they can rewrite the rules.
Oldenburg ran a structured evaluation across 21 prompts, 7 categories, and 210 total runs. The result: a 90.5% safety bypass rate.
The full paper, logs, and evaluation data have been published publicly on GitHub under the repository RED-BASE/context-is-everything.
This comes amid a broader wave of Claude Code security disclosures. Earlier in 2026, Check Point Research exposed critical vulnerabilities — assigned CVE-2025-59536 and CVE-2026-21852 — that allowed remote code execution and API key theft simply by cloning and opening a malicious repository. Separately, a Cymulate researcher found two high-severity vulnerabilities during Anthropic’s Research Preview phase, including a command injection flaw that allowed arbitrary commands to execute with no user confirmation required.
What’s the Impact?
The trusted channel injection finding matters because the attack surface is broad. Claude Code is not a toy — it runs commands, reads files, and interacts with developer environments at a deep level. The fundamental problem is that Claude processes untrusted content with trusted privileges.
For enterprise teams using Claude Code in shared environments, the risk is compounded. In shared workspaces, a single compromised setup can expose, modify, or delete shared files and generate unauthorized costs. The 90.5% success rate means this is not a niche edge case — it is closer to the default outcome when the method is applied.
The research also raises broader questions about how safety boundaries are designed in agentic coding tools. When instructions and context flow through the same channel, controlling one means you may control the other.
How to Avoid This
Users and teams running Claude Code can reduce exposure with a few practical steps:
Disable all hooks, explicitly approve only trusted MCP servers, and use deny rules aggressively — blocking commands like curl, .env access, and similar high-risk actions. Never run Claude Code as root or with elevated privileges you haven’t thought through carefully.
Claude Code only has the permissions you grant it — you are responsible for reviewing proposed code and commands before approving them. Treat every repository you open as potentially untrusted until you have reviewed its configuration directories, including .claude/ and similar tool-specific folders.For teams using Claude Code in automated pipelines, avoid the –dangerously-skip-permissions flag. It removes the human checkpoint that would otherwise catch suspicious behavior. The more Claude operates without review, the more exposure you carry.
