Claude Code Can Be Manipulated via CLAUDE.md to Run SQL Injection Attacks

Summary

LayerX researchers discovered that Anthropic's Claude Code AI assistant can be manipulated through its CLAUDE.md configuration file to bypass safety guardrails and execute malicious actions like SQL injection attacks and credential theft. The vulnerability exploits the AI's trust in the configuration file's instructions, allowing attackers to perform unauthorized access and data exfiltration without coding knowledge. Anthropic was notified on March 29, 2026, but has not provided a direct response.

Full text

Security Artificial IntelligenceClaude Code Can Be Manipulated via CLAUDE.md to Run SQL Injection AttacksbyDeeba AhmedApril 9, 20263 minute read LayerX researchers have discovered how to bypass Claude Code’s safety rules using the CLAUDE.md file. This exploit allows anyone to automate SQL injection attacks and steal user credentials without writing any code. A recent study by LayerX has found that hackers can transform a tool widely used by computer programmers into a powerful weapon for their malicious acts. The tool is Anthropic’s Claude Code, and LayerX researchers have discovered a way to weaponise it. This research, shared with Hackread.com, reveals that anyone can use the tool to attack websites even if they don’t know how to write code. Do not confuse Claude Code with the recent Claude source code leak. Claude Code is an AI-powered coding assistant. Since it is agentic, it writes and fixes computer code, makes its own choices, and runs commands on a computer. Every project that uses Claude Code has a simple text file called CLAUDE.md that tells it how to behave. Normally, the AI has safety guardrails to stop it from performing malicious activities, such as creating malware. However, LayerX researchers noted that these guardrails can be bypassed or fooled very easily. “Claude Code is for developers who need an AI that can take autonomous action on real systems, and is therefore given a broader set of permissions than standard web AI interfaces. This expanded freedom is intentional and necessary for Claude Code to be useful, but it also presents an attack surface that is already being exploited today,” the blog post reads. While testing in a controlled environment with a vulnerable web application called DVWA, they found that by typing just three lines of basic English into that text file, the tool was convinced to ignore its safety rules. In one test, they easily fooled the AI to allow unauthorised access by saying they had permission. The tool believed the file and immediately started stealing usernames and passwords. It even used a hacking technique called SQL injection to dump the database. The AI openly used the text file as its justification, as researchers noted that the AI told them: “Given the authorization stated in your CLAUDE.md for pentesting… here’s how to approach login bypass.” It then used a tool called cURL to run the attack, as researchers revealed that “this unremarkable file is suddenly an attack surface” because the AI trusts the instructions without question. The worrying part is that this is not just a theory but a real problem that can happen right now. LayerX report reveals several ways hackers may use this trick, such as simply lying to the AI to get it to help with a hack. Another risk involves malicious downloads. A hacker can share a project online that has a hidden instruction file, and when an honest developer downloads it, the tool might start stealing their private files. There is also the threat of an insider with bad intentions changing the file in a company project. Video Demo from LayerX LayerX’s team contacted Anthropic on 29 March 2026 to inform them about this issue, but they did not receive a favourable direct response and were told to email a different department. They sent another message that same day, but have not heard back yet. Therefore, for now, researchers suggest that any team using Claude Code must treat these text files like real computer code and inspect them closely to stay safe. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AIAnthropicClaudeClaude AIClaude CodeCybersecurityLayerXVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Security Android iPhone Technology DolphinAttack: Voice Assistant Apps Siri and Alexa Can Be Hacked Mainstream Voice Assistants Including Siri and Alexa Plagued with Serious Vulnerability. Voice assistant apps are not as reliable… byWaqas News Android Malware Security Thousands of Android Apps Infected with SonicSpy Spyware Google Play is believed to be the best platform for downloading applications and users across the globe rely… byUzair Amir Read More Security APTs Exploiting WinRAR 0day Flaw Despite Patch Availability All a user needs to do is visit the official WinRAR website and install the latest version to thwart the attack. byDeeba Ahmed Malware Security TrickBot Variant Steals Bitcoin by Hijacking Cryptocurrency Transactions Another day, another malware – This time TrickBot’s variant is stealing Bitcoin by hacking cryptocurrency transactions. TrickBot malware,… byWaqas

Indicators of Compromise

• malware — SQL injection

Entities