CVSS 9.8 Command Injection in Claude-Hovercraft - Another AI Tool RCE Joins the Pile
ZDI-26-124 discloses a critical command injection vulnerability in the claude-hovercraft tool's executeClaudeCode function, scoring CVSS 9.8 with no authentication required.
4 min read
The Zero Day Initiative has published ZDI-26-124, disclosing a critical remote code execution vulnerability in a third-party Claude integration tool called claude-hovercraft. The flaw scores CVSS 9.8 - the near-maximum severity rating - and requires no authentication or user interaction to exploit.
TL;DR
- CVE-2025-15060 is a command injection in claude-hovercraft's
executeClaudeCodefunction - CVSS 9.8: network-exploitable, no authentication, no user interaction needed
- The affected GitHub repository has been removed completely
- This is the latest in a string of critical vulnerabilities hitting the Claude tool ecosystem in 2026
"The specific flaw exists within the executeClaudeCode method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call."
- Zero Day Initiative, ZDI-26-124
The Vulnerability
The flaw is textbook command injection. The executeClaudeCode function in claude-hovercraft takes user-supplied input and passes it directly to a system call without sanitization. An attacker on the network can inject arbitrary operating system commands, and those commands execute in the security context of the service account running the tool.
The CVSS 3.0 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) spells out exactly how bad this is:
| CVSS Factor | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable remotely |
| Attack Complexity | Low | No special conditions needed |
| Privileges Required | None | No authentication |
| User Interaction | None | No clicks, no approval |
| Confidentiality Impact | High | Full data access |
| Integrity Impact | High | Full system modification |
| Availability Impact | High | Full denial of service |
Peter Girnus (@gothburz) of Trend Research discovered and reported the vulnerability. The vendor was notified on October 6, 2025. The advisory was published on February 25, 2026.
Vendor Response
The response was blunt: the affected repository was removed from GitHub entirely. There's no patch, no fixed version, no migration guide. If you were running claude-hovercraft, the expected remediation is to stop running it.
The Bigger Picture
This is not an isolated incident. The Claude tool ecosystem has been under sustained security scrutiny all through 2025 and into 2026, with critical vulnerabilities surfacing at an accelerating rate.
The Claude Tool Attack Surface
Check Point Research disclosed CVE-2025-59536 and CVE-2026-21852 earlier this year, showing that malicious project configurations in Claude Code could achieve remote code execution and API key theft simply by having a developer clone and open an untrusted repository. Anthropic patched those flaws in versions 1.0.87 and 1.0.111.
Koi Security found command injection vulnerabilities in three official Anthropic extensions - Chrome, iMessage, and Apple Notes connectors - all scoring CVSS 8.9. The root cause was identical to claude-hovercraft: unsanitized user input passed directly to system calls. Those were patched in August 2025.
LayerX Research discovered a zero-click RCE in Claude Desktop Extensions that could compromise systems through a Google Calendar event. Anthropic declined to fix it, stating the flaw "falls outside our current threat model."
And just last week, a separate dev.to analysis catalogued seven MCP server CVEs in a single month - all unauthenticated or low-privilege command injection flaws across the broader MCP ecosystem.
Who Is at Risk
| Stakeholder | Impact | Timeline |
|---|---|---|
| claude-hovercraft users | Full system compromise possible | Immediate - stop using now |
| Claude Code developers | Ongoing supply chain risk from third-party tools | Ongoing |
| Anthropic | Reputational pressure from ecosystem vulnerabilities | Medium-term |
| MCP tool ecosystem | Trust erosion across AI development tooling | Long-term |
The pattern is clear: AI coding tools that integrate with system-level operations are producing the same class of vulnerabilities that the software industry has spent decades trying to eliminate. Command injection is not a novel attack. It's OWASP Top 10 material. The fact that it keeps appearing in tools built specifically for developers suggests that the AI tooling ecosystem is growing faster than its security practices.
What Happens Next
The immediate concern for anyone who launched claude-hovercraft is straightforward: remove it and audit what it had access to. The CVSS 9.8 score and zero-authentication requirement mean that any network-accessible deployment was potentially compromised from the moment it was running.
The broader question is whether Anthropic and the wider AI tooling community can get ahead of this trend. Anthropic has patched vulnerabilities in its own products promptly when reported, but the third-party ecosystem around Claude - MCP servers, extensions, wrappers like claude-hovercraft - operates without the same safety and alignment standards that Anthropic applies to its own models.
Until the tooling ecosystem develops the same security rigor as the models themselves, expect more CVEs like this one.
Sources:
- ZDI-26-124: claude-hovercraft executeClaudeCode Command Injection RCE - Zero Day Initiative
- RCE and API Token Exfiltration Through Claude Code Project Files - Check Point Research
- PromptJacking: Critical RCEs in Claude Desktop - Koi Security
- Claude Desktop Extensions Zero-Click RCE - LayerX Research
- Anthropic Declines Fix for Zero-Click Flaw - Infosecurity Magazine
- Seven MCP CVEs in One Month - dev.to
- Claude's Collaboration Tools Allowed Remote Code Execution - The Register
- Peter Girnus (@gothburz) - Trend Research
