-
time
min read

Claude Code Leak: 169 Issues Found in Minutes (73 Security, 96 Non-Security)

Claude Code Leak: 10+ Security Issues Found in Minutes

Claude Code was recently leaked. We analyzed it using LogicStar AI and found multiple severe security issues, including remote code execution and permission bypasses.

Key Findings

Out of 169 total issues surfaced: 73 were security vulnerabilities, 96 were non-security defects (logic errors, reliability issues, unsafe assumptions)Below are a few representative examples:

  1. Headless mode (even with read-only tools) allows Remote Code Execution without any prompt or warning in untrusted repositories:
  2. Headless mode (even with read-only tools) allows Remote Code Execution without any prompt or warning in untrusted repositories:

              echo "summarize this repo" | claude -p --tools "Read"

  1. The Claude MCP server allows arbitrary file writes. An undocumented tool call parameter enables writing files anywhere on the filesystem, without any visibility to the user.
  2. Permission model gaps allow access to sensitive files. We found multiple bypasses, including Grep and Glob enabling path traversal despite explicit deny rules.

With all the hype around Claude Mythos, which was likely built and tested on Claude Code, we expected severe vulnerabilities to be difficult to find.

Instead, our bug finder surfaced 169 issues within minutes.

Importantly, not all of these issues matter equally. The challenge is not finding bugs, but identifying which ones actually impact real systems.

This highlights the gap between raw model capability and production-grade system safety.

What This Means

AI coding tools are no longer just generating code. They are executing it.

This introduces new classes of risk:

  • hidden execution paths
  • implicit trust in configuration
  • fragile permission models

As AI-generated code increases development speed, the number of potential defects grows, but only a small subset actually matters in production.

Takeaways for Developers

  • Do not run AI coding tools on untrusted repositories without sandboxing
  • Do not assume “read-only” modes are safe

About LogicStar

LogicStar surfaces bugs in your software and identifies which ones actually matter by correlating them with customer complaints, production alerts, and real usage.

It does the investigation, root cause analysis, and validation so your team can focus on fixing, not triaging.

Try it here: https://logicstar.ai/
For a limited time, the first 20 bugs are on us.

We responsibly disclosed all the critical secruity issues above and more through Claude Code’s HackerOne program.

Share this article

Explore All Our Latest News!

March 9, 2026
Beyond SWE-bench: The Hardest Problem in AI Software Engineering Isn’t Writing Code
Read more
January 31, 2026
SWE-Star: Best-in-Class Agentic Coding Models
Read more
November 21, 2025
How LogicStar Autonomously Finds and Fixes A Real Bug in Our Production Code
Read more
November 17, 2025
Closing the Agentic Coding Loop with Self-Healing Software
Read more
September 26, 2025
How We Made SWE-Bench 50x Smaller
Read more
September 16, 2025
SWE-Bench Verified – Best Fix Generation at 76.8%
Read more
September 10, 2025
SWT-Bench Verified – Best Test Generation at 84%
Read more
July 18, 2025
LogicStar Successfully Completes Independent SOC 2 Audit with Ongoing Security Monitoring
Read more
July 18, 2025
ETH AI Center Affiliation
Read more
July 18, 2025
Introducing BaxBench
Read more
July 28, 2025
TechCrunch Article About LogicStar
Read more
July 28, 2025
Introducing the SWT-Bench Leaderboard!
Read more
July 28, 2025
Agentic AI from INSAIT and ETH Zurich
Read more
July 28, 2025
SWT-Bench
Read more
July 28, 2025
LogicStar AI raised a $3m round led by Northzone
Read more
July 28, 2025
Jobs
Read more
July 28, 2025
Introducing LogicStar
Read more
View All
LogicStar AI logo – autonomous software maintenance and self-healing applications

Stop guessing what to fix

Start fixing what matters

LogicStar shows the bugs impacting customers and revenue, ranked and ready to act on.

No workflow changes. Results in ~1 hour.

Start your Trial
Screenshot of LogicStar generating production-ready pull requests with 100 percent test coverage, static analysis, and regression validationScreenshot of LogicStar generating production-ready pull requests with 100 percent test coverage, static analysis, and regression validation
Close Cookie Popup
Cookie settings
We use cookies to run the site and understand how it’s used. You can accept all cookies or reject non-essential ones. See our Cookie Policy.
Accept all cookiesReject non-essential

Manage settings

Close Cookie Preference Manager
Cookie settings
By clicking 'Accept all cookies', you agree to storing cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts as outlined in our cookie policy.
Strictly necessary (always active)
Cookies required to enable basic website functionality.
Accept all cookiesSave settings