Analyzed: March 31, 2026 leak snapshot
The source snapshot does not include a canonical CVE ledger. This page therefore distinguishes between source-visible risks and formal vulnerability disclosures, which cannot be derived from the code alone.
What can be stated from source
The code clearly contains risk-bearing areas:
- shell execution and sandbox escape pressure
- external MCP tools and resources
- plugin installation, marketplace fetch, and cache management
- remote bridge token handling and reconnection
- permission misconfiguration that could effectively grant unrestricted execution
Those are architectural risks, not proof of a published CVE.
What cannot be stated from source alone
The repository snapshot does not, by itself, establish:
- whether a given issue received a CVE
- which dependency versions are currently vulnerable in the ecosystem
- whether Anthropic had already patched an issue in later versions
Any formal CVE inventory would require a separate dependency and disclosure audit outside the source tree.
Practical reading
For this unofficial documentation set, the honest position is:
- document the risky subsystems visible in source
- do not claim specific CVEs unless independently verified
- assume implementation details may have changed after this snapshot