Security researchers have disclosed a multi-stage attack targeting Anthropic’s Claude AI that enabled silent prompt injection, alongside data exfiltration, even in default configurations with no external integrations.
The vulnerability, discovered by Oasis Security and dubbed “Claudy Day”, centered on Claude’s URL-based prompt prefill feature, which allows text to be preloaded into a chat window. Researchers found attackers could embed invisible HTML tags in the URL parameter, remaining hidden in the interface, but executed when submitted to the model.
This created a user intent-system behavior mismatch. A visible request to “summarize the news” could conceal hidden instructions to point Claude in the direction of malicious or unrelated actions.
Files API Enabled Covert Data Theft
The researchers demonstrated how this injection could escalate into data theft using Anthropic’s Files API, a file-upload beta feature. By embedding an attacker-controlled API key into the hidden prompt, Claude was tricked into extracting information, such as prior conversations, and uploading it as a file.
Because Claude’s sandbox restricts outbound traffic, traditional exfiltration paths were blocked. However, access to api.anthropic.com remained active, making it possible for a potential attacker to circumvent network controls. Uploaded files could then be retrieved via the attacker’s API account.
The report also highlighted risks connected to Claude’s memory features, which could be abused to extract old conversations containing sensitive business or personal data. To deliver the attack, researchers identified an open redirect flaw on claude.com, allowing malicious links to appear as trusted URLs, including in Google Ads.
“The Claudy Day attack chain highlights a new reality: the prompt itself is now an attack surface,” Saumitra Das, Vice President of Engineering at Qualys, told Expert Insights, “There’s no malware or compromised infrastructure involved, it is just carefully crafted instructions delivered to a model that trusts them by default.”
Anthropic confirmed it has patched the critical prompt injection vulnerability. Remaining structural issues affecting the open redirect and Files API are still being mitigated. Researchers recommend stricter input sanitization, limiting tool access to initial prompt readings, and requiring user approval for actions deemed sensitive by security teams.
