Claude Code Finding 4: Remote Control Session Hijacking via Missing Per-Session Authentication
Introduction This is the fourth finding from my Claude Code security research. The claude.ai/v1/sessions/{session_id}/events endpoint, used by Claude Code’s remote-control feature, lacks per-session authentication. An attacker who obtains a user’s sessionKey cookie can inject arbitrary messages into an active session from any machine on the internet. Injected messages are processed identically to legitimate user messages with no visual indicator of external origin. Product: Claude Code CLI v2.1.63 Feature: Remote Control (claude remote-control) CWE: CWE-306 (Missing Authentication for Critical Function) GitHub: claude-code-session-hijack ...