Anthropic's engineers wrote the fix for this vulnerability. It's in their codebase. They tested it. It works. They just never deployed it to the version their customers run.
That's not a conspiracy. It's something more unsettling: a performance optimization that inadvertently created a security gap, and a correct fix that sat undeployed while 500,000+ developers ran Claude Code believing their deny rules were enforced. Adversa AI published their findings on April 2, 2026, after analyzing the Claude Code source code that leaked on March 31. Anthropic quietly patched it in v2.1.90 two days later.
How the Bypass Works
Claude Code's permission system lets you configure deny rules that block specific commands. Configure {"deny": ["Bash(curl:*)"]} and the agent will refuse to run curl. The rule fires reliably on a single command. It fires on a command chained with a few others. It stops firing at command 51.
The code lives in bashPermissions.ts. The variable is MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50. When a shell command chains more than 50 subcommands using &&, ||, or ;, Claude Code stops analyzing individual subcommands and falls back to a generic ask-the-user prompt. The deny rules are never evaluated. The user sees a message about complexity, not a block.
The cap exists for a legitimate reason. Analyzing every subcommand in a long compound command was causing real performance problems: the UI froze, and the compute cost mounted with command length. Anthropic capped analysis at 50 and fell back to "ask." The internal comment noted that 50 was generous for legitimate user commands. Human developers rarely chain 50 commands in a terminal session. The assumption was correct for human-authored commands.
It didn't account for AI-generated commands produced from malicious project configuration files.
The Attack Chain
CLAUDE.md is a plain-text configuration file that Claude Code reads when it enters a project directory. It provides project-specific instructions, build steps, and context. Developers expect it to exist in well-maintained projects. Most developers treat it like documentation rather than executable instructions. It is both.
An attacker publishes a repository that looks legitimate: README, license, reasonable stars, professional project structure. The CLAUDE.md contains a build pipeline with 51 steps. In a modern monorepo with multiple workspaces, linters, compilers, and test suites, 51 steps is entirely normal. At step 51, embedded in what looks like a dependency verification command, is a curl request that sends the developer's ~/.aws/credentials to an attacker-controlled server.
A developer discovers the repository, clones it, and asks Claude Code to build the project. Claude Code reads the CLAUDE.md, generates the compound command, and hits the 50-subcommand cap. Instead of a hard block, the user sees: "Command splits into 51 subcommands, too many to safety-check individually. Do you want to proceed?" During a long coding session, with an agent that has been approved through dozens of build steps, the developer clicks yes.
Their SSH private keys, AWS access keys, GitHub tokens, npm tokens, and API secrets ship to the attacker's server. The deny rule that was supposed to block curl never fired. No warning indicated the security policy was bypassed. The permission system's own UI told the developer it couldn't fully analyze the command. The developer was given the choice to proceed anyway.
This attack targets the most security-conscious users specifically. Developers who never configured deny rules have no false sense of security. The developers who took the time to configure a security policy believed they were protected.
The Fix That Was Never Shipped
Anthropic's codebase contains two command parsing paths. The legacy regex parser ships in every public build. When it hits the 50-subcommand cap, it returns a permissive ask result. Deny rules are not checked. The newer tree-sitter parser, also present in the same repository, handles this correctly: it checks deny rules before capping. If a deny rule would fire, it fires regardless of command length. The secure approach was built, tested, and committed. It was never applied to the code path that customers run.
Adversa published their research on April 2. Anthropic shipped v2.1.90 on April 4. The changelog described the fix as "parse-fail fallback deny-rule degradation." If you were relying on deny rules and didn't read the changelog carefully, you had no signal that your security configuration had been failing silently before the patch.
If you're running Claude Code below v2.1.90, update now. The vulnerability is public, the proof of concept is trivial, and the attack surface is any developer who clones an external repository.
What This Reveals About AI Agent Security
The single vulnerability matters. What it reveals about the structural economics of AI agent security matters more.
In traditional software, security checks are cheap relative to the application's core function. A firewall rule evaluation doesn't compete with page serving for compute resources. An access control check doesn't consume the same budget as the user's work.
In agentic AI, this separation doesn't exist. Every deny-rule check, every permission validation, every sandbox enforcement is inference cost. It consumes the same tokens, the same GPU time, the same billing units as the user's task. When Anthropic's engineers hit a performance problem with complex command analysis, they were facing a real tension: thorough security analysis costs compute, and compute costs money.
Anthropic's 50-subcommand cap is what that tradeoff looks like in practice. It is the first publicly visible instance of a pattern that every AI agent company will encounter as their products handle longer, more complex tasks. Longer tasks mean more commands. More commands mean more security analysis. More analysis means more inference cost. The economic pressure to cap or skip that analysis only intensifies with scale.
Right now, most AI agent infrastructure is priced below cost. Companies are burning capital to capture market share. Security corners are already being cut at subsidized prices. When inference pricing reflects real cost, product and finance teams will apply the same pressure to security overhead they apply to any other cost center. The AI agent industry has not built governance frameworks for this tradeoff because it hasn't acknowledged the tradeoff exists.
The "ask the human" fallback, the industry's standard safety net when automated checks fail, is also worth examining. In interactive sessions, it mostly works. In CI/CD pipelines running Claude Code with --dangerously-skip-permissions, in background agents running autonomous sessions, in the long multi-hour tasks that AI agent roadmaps are converging on: there is no human watching. The ask prompt auto-approves or blocks the pipeline entirely. Operations teams quickly configure away the friction. The safety assumption collapses exactly in the environments where the stakes are highest.
What You Need to Do
Update Claude Code to v2.1.90 or later. This is the immediate fix. Verify your installed version before relying on deny rules for any security-sensitive workflow.
Audit CLAUDE.md files before running against unfamiliar repositories. CLAUDE.md is a configuration file that Claude Code treats as trusted execution instructions. Read it before running the agent. Treat it with the same scrutiny you'd apply to a shell script you're about to execute.
Don't rely on deny rules as a hard security boundary in unattended execution. In CI/CD pipelines or autonomous agent sessions, apply defense in depth: restrict network access, run with least-privilege credentials, and monitor outbound connections from developer workstations.
Test your AI agent security configuration adversarially. Verify that deny rules actually fire. Run the 50-subcommand test yourself against your own configuration. Don't trust the version number to tell you your controls are working. Test what the system actually does.
The Pattern Behind the Pattern
Kerckhoffs published his principle in 1883: a system must remain secure even when everything about it is known. Anthropic's system didn't survive the source code becoming public. The vulnerability was found in hours.
But the larger issue is structural. This week's story is a performance cap that silently broke a security control. Next time it will be a different optimization with the same outcome. Every AI agent on the market is operating under the same economic pressure: security analysis competes with product delivery for the same finite resource.
Traditional security tooling doesn't catch this. Scanners test for known CVEs. Compliance checklists verify that security controls exist. None of them test whether the controls actually enforce under the conditions that matter: complex commands, automated pipelines, long-running sessions, and AI-generated inputs designed to push past the thresholds where enforcement stops.
Your AI agent's security controls are code paths. Test them like code paths.