“Claudy Day” Is a blueprint for why AI risk management can’t wait
Published by Mike Esber – Director, Littledata
19/03/2026
Yesterday , researchers at Oasis Security dropped a report that should sit uncomfortably with every CISO, compliance officer, and AI governance lead who has been watching enterprise AI adoption accelerate without a matching investment in AI-specific security controls.
They called it “Claudy Day.” The name is clever. The implications aren’t amusing.
Three vulnerabilities individually concerning, but chained together into a complete attack pipeline were found in Claude, one of the AI assistants widely considered to be among the safer options on the market. That context matters. This wasn’t a rogue, poorly-governed model. This was a flagship enterprise AI product from a company that has made safety its core brand proposition.
Let me walk through what actually happened, because the technical detail here tells a story that goes well beyond Claude.
The Three-Part Chain
The first flaw sits in how Claude handles a URL parameter called `?q=` a feature designed to let integrations pre-fill the chat box with a prompt. Oasis found that certain HTML tags placed inside that parameter are invisible in the text box shown to the user, but are transmitted in full to the model when the user hits send. The prompt a user sees and the prompt the model actually receives are not the same thing.
That’s the foundation. You’ve now got invisible instructions reaching the model. The attacker has control of Claude’s behaviour without the user knowing anything has happened.
The second flaw solves the delivery problem. A raw malicious link looks suspicious. Security-aware users won’t click it. But Oasis found an open redirect vulnerability on claude.com itself meaning they could construct a URL that technically starts with the trusted claude.com domain, passes Google’s ad approval process, and then quietly drops the user at an attacker-controlled page with the hidden injection already baked in.
No phishing email. No suspicious sender. Only a Google search result, at the top of the page, displaying a legitimate claude.com address.
The third flaw completes the pipeline. Oasis found that Anthropic’s Files API a beta feature for developers that allows file uploads to storage tied to an API account was reachable from inside the model’s sandbox. An attacker who embeds their own API key in the hidden prompt can instruct Claude to pull data from the user’s conversation history, write it to a file, and upload it directly to the attacker’s Anthropic storage. Up to 500MB per file, up to 100GB per organisation. Silently, without any additional tools, integrations, or MCP servers required.
The attack works even in a basic Claude chat session with no enterprise integrations. And if the session does have MCP servers or integrations enabled reading files, calling APIs, sending messages the blast radius expands dramatically.
Oasis reported all three issues to Anthropic through responsible disclosure. The prompt injection flaw has been patched. The other two are still being addressed.
This Isn’t a One-Off
What makes Claudy Day significant isn’t just the technical elegance of the chain. It’s the pattern it sits inside.
In January, PromptArmor disclosed a vulnerability in Anthropic’s Cowork AI tool that allowed file exfiltration via prompt injection without additional user approval. Last month, Check Point published findings on critical flaws in Claude Code CVEs with severity scores of 8.7 out of 10 that could allow silent system takeover simply by cloning an untrusted repository. In July 2025, a critical remote code execution vulnerability was found in the Anthropic MCP Inspector. And then there’s the Mexico government breach where jailbroken Claude was used as the primary tool in an attack that pulled 150 gigabytes of data including records tied to 195 million taxpayers.
I’m not listing these to pile on Anthropic. I’ve written elsewhere about why I think Claude is still one of the more thoughtfully built models available. The point is that even the safest models in the market are generating a growing security disclosure record, and that record is accelerating as more enterprise deployments create more attack surface.
Saumitra Das from Qualys put it well: “There’s no malware or compromised infrastructure involved it is just carefully crafted instructions delivered to a model that trusts them by default.”
That sentence is the whole problem. The prompt is the attack surface now.
What This Means for AI Governance
Here’s where I want to be direct about what I see organisations getting wrong.
Most enterprise AI governance conversations are still happening at the policy layer. “Do we have an acceptable use policy? Have we ticked the EU AI Act boxes? Have we mapped our high-risk systems?” Those aren’t bad conversations, but they’re not where the exposure lives. The exposure lives in deployment configuration. It lives in whether your AI tools have been granted broad system access from first interaction with no user confirmation. It lives in whether anyone in your organisation has mapped what a compromised prompt could actually reach.
Oasis made this point explicitly in their findings: when MCP servers and integrations are available from the very first interaction with no user confirmation, a single injected prompt can immediately leverage those tools. That’s not a policy problem. It’s a deployment and configuration risk that needs to be assessed, scored, and monitored continuously.
This is precisely the kind of risk that Littledata is built to surface. Not theoretical risk at the framework level practical, deployment-specific risk across the four dimensions that actually determine your exposure: capability risk, deployment risk, data risk, and governance risk. EU AI Act Article 9 requires organisations to have a risk management system in place throughout the AI system lifecycle. Claudy Day is a live demonstration of what happens when deployment risk goes unassessed and data risk goes unmonitored.
The organisations that will manage this well are the ones that treat their AI stack the way they already treat their cloud and endpoint estate with continuous visibility into configuration, access, and behavioural anomalies. The ones that won’t are the ones waiting for a governance framework to tell them exactly what to do next.
The Practical Steps
For any organisation currently deploying Claude or other AI agents in production, a few things matter immediately.
- Restrict tool access at first interaction. Don’t grant MCP servers and integrations from the moment a session opens. Require explicit user confirmation before an agent uses powerful tools for the first time.
- Audit what your AI sessions can reach. Conversation history, file systems, connected APIs, email and calendar integrations if they’re reachable from inside an AI session, they’re part of your attack surface.
- Treat prompt integrity as a security boundary. The signal from Claudy Day is that you cannot assume the instructions reaching your model are the instructions your users sent. Monitoring for anomalous model behaviour needs to be part of your AI operations stack.
- Don’t assume “safer model” means “safe deployment.” Claude’s safety record didn’t prevent Claudy Day. Safety properties at the model level and security properties at the deployment level are not the same thing.
The EU AI Act isn’t arriving to slow AI adoption. It’s arriving because the risk picture I’ve described above was always predictable, and somebody needed to force accountability infrastructure into the equation before the breaches normalised.
Claudy Day is a case study in what unmanaged deployment risk looks like. It won’t be the last one.
If your organisation is thinking seriously about how to build that accountability infrastructure without a six-figure consulting engagement, I’d like to talk.
*Sources: Oasis Security Research Team (Claudy Day disclosure), Dark Reading, BankInfoSecurity, Hackread, TechNadu, SecurityWeek, VentureBeat*
#AIGovernance #EUAIAct #LLMSecurity #CISO #AIRisk #PromptInjection #CyberSecurity #AICompliance #Littledata #ZeroTrust
