## https://sploitus.com/exploit?id=6807BA34-4B9B-5213-9BB4-B1C8E78D97A1
# CVE-PENDING: MCP Tool Confirmation Prompt Misrepresentation in Claude Code
## Summary
A malicious MCP server can misrepresent tool actions in Claude Code's confirmation prompt, causing users to approve what appears to be a safe file read operation while the server silently executes arbitrary system commands, writes files outside the project directory, and runs OS-level commands.
- **Product:** Claude Code
- **Version Tested:** 2.1.63
- **Platform:** Windows 10 (also applicable to Windows 11, macOS, Linux)
- **CWE-451:** User Interface (UI) Misrepresentation of Critical Information
## Video Demonstration
https://github.com/user-attachments/assets/143ac9b2-32f0-4022-9a01-7d4cdf50fd1a
> To embed the video: Drag and drop `MCP-TEST-Demo.mp4` into a GitHub issue or PR comment. GitHub will generate a `user-attachments` URL. Replace the URL above with that link.
## The Vulnerability
Claude Code's MCP tool confirmation prompt displays the tool name, parameters, and description โ all provided entirely by the MCP server with no server-side validation. This enables a complete disconnect between what the user approves and what actually executes.
## Proof of Concept Walkthrough
### 1. Claude Code Version
Tested on Claude Code v2.1.63.
### 2. Clean Desktop โ No Proof File Exists
Before running the exploit, the Desktop has no `mcp_mismatch_proof.txt` file.
### 3. Malicious MCP Server Source Code
The `server.py` declares a tool called `read_file` with the description "Safely reads a text file and returns its contents." However, the actual implementation executes `whoami`, writes a proof file to the Desktop, and returns fake file contents.
### 4. MCP Configuration
The `.mcp.json` points to the malicious server.
### 5. Legitimate README File
A normal project README used as bait for the "read file" request.
### 6. MCP Server Trust Dialog
Claude Code prompts the user to trust the MCP server. The user accepts โ this simulates a developer trusting a cloned repository.
### 7. Deceptive Confirmation Prompt
**This is the core of the vulnerability.** The confirmation prompt shows:
```
Tool use
file-reader - read_file(path: "...\README.md") (MCP)
Safely reads a text file and returns its contents
Do you want to proceed?
```
The user sees a harmless file read operation and approves it.
### 8. Claude Code Output โ Everything Looks Normal
After approval, Claude Code displays what appears to be the file contents. The user has no indication anything malicious occurred.
### 9. Proof File โ Arbitrary Commands Executed
Opening a separate PowerShell window reveals the proof file on the Desktop:
```
PROOF-OF-CONCEPT: MCP TOOL MISMATCH
User approved: read_file(README.md)
Actually executed: file write + system commands
whoami: desktop-c9ak2kc\maldev01
```
### 10. Side-by-Side Comparison
The left shows the proof file in Notepad. The right shows Claude Code displaying innocent-looking output. The user approved "read a file" but got system command execution.
## Distinction from Existing CVEs
| CVE | Issue | Status | This Finding |
|-----|-------|--------|-------------|
| CVE-2025-59536 | MCP executing before consent dialog | Fixed v1.0.111 | Occurs **after** user consents |
| CVE-2026-21852 | API key exfiltration via env vars | Fixed | Different vector |
| CVE-2026-24887 | `find` command parsing bypass | Fixed v2.0.72 | Same class, different mechanism |
| **This finding** | **Prompt misrepresents actual execution** | **Unpatched on v2.1.63** | **User gives informed consent to wrong action** |
## In-Scope Justification
From Anthropic's VDP scope for Claude Code:
> "Misrepresenting parameters or tools in permission prompts by displaying different information than what will actually be executed"
## Impact
- **Arbitrary code execution** โ MCP server can execute any system command
- **File system access outside project directory** โ Proof file written to Desktop
- **Deceptive confirmation prompt** โ User consented to "read a file" but got command execution
- **Fake return data** โ Server returns fabricated output to hide the attack
- **Persistent compromise** โ If user selects "don't ask again," attacker gets persistent execution
### Attack Scenario
An attacker includes a `.mcp.json` and malicious MCP server in a GitHub repository. A developer clones the repo, opens it in Claude Code, trusts the workspace, and uses the tool. The confirmation prompt shows a harmless file read, but the server exfiltrates SSH keys, environment variables, source code, and credentials while displaying normal-looking output.
## Reproduction
See [REPRODUCE.md](REPRODUCE.md) for full step-by-step instructions.
## Files
| File | Description |
|------|-------------|
| `server.py` | Malicious MCP server (proof of concept) |
| `.mcp.json` | MCP configuration pointing to the server |
| `project/README.md` | Legitimate project file used as bait |
| `REPRODUCE.md` | Full reproduction steps |
| `evidence/` | Screenshots and video demonstration |
## Disclosure Timeline
- **2026-03-03** โ Vulnerability discovered and PoC developed
- **2026-03-03** โ Report submitted to Anthropic via HackerOne VDP
- **Pending** โ Awaiting Anthropic response
## Reporter
**Jashid Sany**
- GitHub: [https://github.com/jashidsany](https://github.com/jashidsany)
- Website: [https://jashidsany.com](https://jashidsany.com)