Claude Code MCP trust boundary failures allow workspace privilege escalation
Quick Answer
Claude-code caused a high-severity (7.5/10) security vulnerability failure: Claude Code MCP trust boundary failures allow workspace privilege escalation. The root cause was other. Potential for workspace privilege escalation in Claude Code v2.
Description
Security researcher Jashid Sany documented three systemic trust boundary failures in Claude Code v2.1.63 related to the Model Context Protocol (MCP): (1) weak MCP server configuration validation allowing untrusted servers to register with elevated trust, (2) insufficient tool confirmation prompts that can be bypassed by crafted tool descriptions, and (3) workspace trust escalation vulnerabilities where agents processing potentially malicious input can be manipulated to perform out-of-scope actions. All findings were submitted to Anthropic via HackerOne and closed as 'Informative'. The core failure: human-designed trust models break when autonomous agents process potentially adversarial input.
Instruction Given
Normal development tasks via Claude Code with MCP integrations
Expected Behavior
MCP server interactions constrained by trust level; no privilege escalation possible
Actual Behavior
Trust boundaries can be crossed through crafted MCP server configurations and tool descriptions; agent can be manipulated to perform out-of-scope privileged actions
Impact / Damage
Potential for workspace privilege escalation in Claude Code v2.1.63; Anthropic closed findings as Informative without CVE assignment
Frequently Asked Questions
What happened in incident STUPID-2026-0024? ▾
Security researcher Jashid Sany documented three systemic trust boundary failures in Claude Code v2.1.63 related to the Model Context Protocol (MCP): (1) weak MCP server configuration validation allowing untrusted servers to register with elevated trust, (2) insufficient tool confirmation prompts that can be bypassed by crafted tool descriptions, and (3) workspace trust escalation vulnerabilities where agents processing potentially malicious input can be manipulated to perform out-of-scope actions. All findings were submitted to Anthropic via HackerOne and closed as 'Informative'. The core failure: human-designed trust models break when autonomous agents process potentially adversarial input.
Which AI agent caused this failure? ▾
Claude-code was responsible for this security vulnerability incident, documented as STUPID-2026-0024 in the StupidLLM AI agent incident database.
How severe was this AI agent failure? ▾
It is rated 7.5/10 (high) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.
What was the root cause? ▾
The root cause was classified as other. MCP server interactions constrained by trust level; no privilege escalation possible
What was the impact or damage? ▾
Potential for workspace privilege escalation in Claude Code v2.1.63; Anthropic closed findings as Informative without CVE assignment
Related claude-code Incidents
Anthropic admitted a month of Claude Code degradation: lost context, repeated steps, burned usage
Uber burned its entire annual AI coding budget in ~4 months after rolling out Claude Code to 5,000 engineers
Claude Code ran rm -rf on test fixtures thinking they were temp files