9 min read
Hardening Claude Code for Production: What CVE-2026-21852 Doesn't Tell You
The upstream fix for CVE-2026-21852 protects interactive users. It does not protect headless mode. We tested this against our own production deployment and watched 18 API requests redirect to an attacker-controlled server in 30 seconds. Here is what we found and how to fix it.