Anthropic-Ai Claude-Code vulnerabilities
26 known vulnerabilities affecting anthropic-ai/claude-code.
Total CVEs
26
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH20MEDIUM4LOW2
Vulnerabilities
Page 1 of 2
CVE-2025-59536P2HIGH≥ 0, < 1.0.1112025-10-03
CVE-2025-59536 [HIGH] CWE-94 Claude Code can execute commands prior to the startup trust dialog
Claude Code can execute commands prior to the startup trust dialog
Due to a bug in the startup trust dialog implementation, Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory.
Users on standard Claude Code auto-update will have received this fix automatic
ghsaosv
CVE-2026-21852P2MEDIUM≥ 0, < 2.0.652026-01-21
CVE-2026-21852 [MEDIUM] CWE-522 Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
A vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPI
ghsaosv
CVE-2026-39861P2HIGH≥ 0, < 2.1.642026-04-21
CVE-2026-39861 [HIGH] CWE-22 Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace
Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace
Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outsi
ghsa
CVE-2025-66032P2HIGH≥ 0, < 1.0.932025-12-03
CVE-2025-66032 [HIGH] CWE-20 Claude Code Command Validation Bypass Allows Arbitrary Code Execution
Claude Code Command Validation Bypass Allows Arbitrary Code Execution
Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window.
Users on standard Claude Code auto-update hav
ghsaosv
CVE-2026-25725P2HIGH≥ 0, < 2.1.22026-02-06
CVE-2026-25725 [HIGH] CWE-501 Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json
Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json
Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, setting
ghsaosv
CVE-2025-54795P2HIGH≥ 0, < 1.0.202025-08-04
CVE-2025-54795 [HIGH] CWE-78 Claude Code echo command allowed bypass of user approval prompt for command execution
Claude Code echo command allowed bypass of user approval prompt for command execution
Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window.
Users on standard Claude Code auto-update recei
ghsaosv
CVE-2025-59041P2HIGH≥ 0, < 1.0.1052025-09-10
CVE-2025-59041 [HIGH] CWE-78 Claude Code vulnerable to arbitrary code execution caused by maliciously configured git email
Claude Code vulnerable to arbitrary code execution caused by maliciously configured git email
At startup, Claude Code constructed a shell command that interpolated the value of `git config user.email` from the current workspace. If an attacker controlled the repository’s Git config (e.g., via a malicious `.git/config`) and set `user.email` to a crafted payload, the unescape
ghsaosv
CVE-2026-54316P2MEDIUM≥ 0.2.54, < 2.1.1632026-06-17
CVE-2026-54316 [MEDIUM] CWE-183 Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch
Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch
Because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to in
ghsa
CVE-2026-24887P2HIGH≥ 0, < 2.0.722026-02-03
CVE-2026-24887 [HIGH] CWE-78 Claude Code has a Command Injection in find Command Bypasses User Approval Prompt
Claude Code has a Command Injection in find Command Bypasses User Approval Prompt
Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window.
Users on standard Claude Code au
ghsaosv
CVE-2025-58764P2HIGH≥ 0, < 1.0.1052025-09-10
CVE-2025-58764 [HIGH] CWE-94 Claude Code rg vulnerability does not protect against approval prompt bypass
Claude Code rg vulnerability does not protect against approval prompt bypass
Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window.
Users on standard Claude Code auto-update will have received this
ghsaosv
CVE-2025-64755P2HIGH≥ 0, < 2.0.312025-11-20
CVE-2025-64755 [HIGH] CWE-78 @anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
Due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system.
Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised
ghsaosv
CVE-2025-54794P3HIGH≥ 0, < 0.2.1112025-08-04
CVE-2025-54794 [HIGH] CWE-22 Claude Code Research Preview has a Path Restriction Bypass which could allow unauthorized file access
Claude Code Research Preview has a Path Restriction Bypass which could allow unauthorized file access
Due to a path validation flaw using prefix matching instead of canonical path comparison, it was possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on the presence of (or ability to create) a directory with th
ghsaosv
CVE-2025-65099P3HIGH≥ 0, < 1.0.392025-11-19
CVE-2025-65099 [HIGH] CWE-94 Claude Code vulnerable to command execution prior to startup trust dialog
Claude Code vulnerable to command execution prior to startup trust dialog
When using Claude Code with Yarn installed, Yarn config files can trigger code execution when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins and yarnPath could be executed prior to the user accepting the risks of working in an untrusted directory. Users on sta
ghsaosv
CVE-2025-59828P3HIGH≥ 0, < 1.0.392025-09-24
CVE-2025-59828 [HIGH] CWE-829 Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions
When using Claude Code with Yarn installed, Yarn config files can trigger code execution when running `yarn --version`. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins and `yarnPath` could be executed prior to the user accepting
ghsaosv
CVE-2026-25722P3HIGH≥ 0, < 2.0.572026-02-06
CVE-2026-25722 [HIGH] CWE-20 Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection
Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection
Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the `cd` command to navigate into sensitive directories like `.claude`, it was possible to bypass write protection and create or modify files without user confirma
ghsaosv
CVE-2026-33068P3HIGH≥ 0, < 2.1.532026-03-19
CVE-2026-33068 [HIGH] CWE-807 Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File
Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File
Claude Code resolved the permission mode from settings files, including the repo-controlled `.claude/settings.json`, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set `permissions.defaultMode` to `bypassPermissions` in its committed `.claude/s
ghsaosv
CVE-2025-52882P3HIGH≥ 0.2.116, < 1.0.242025-06-23
CVE-2025-52882 [HIGH] CWE-1385 Claude Code Improper Authorization via websocket connections from arbitrary origins
Claude Code Improper Authorization via websocket connections from arbitrary origins
Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions v
ghsaosv
CVE-2026-40068P3HIGH≥ 2.1.63, < 2.1.842026-04-24
CVE-2026-40068 [HIGH] CWE-20 Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution
Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution
Claude Code used the git worktree `commondir` file when determining folder trust but did not validate its contents. By crafting a repository with a `commondir` file pointing to a path the victim had previously trusted, an attacker could bypass the trust dialog and immediately execute mal
ghsa
CVE-2026-25724P3LOW≥ 0, < 2.1.72026-02-06
CVE-2026-25724 [LOW] CWE-285 Claude Code has Permission Deny Bypass Through Symbolic Links
Claude Code has Permission Deny Bypass Through Symbolic Links
Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the sym
ghsaosv
CVE-2025-55284P3HIGH≥ 0, < 1.0.42025-08-18
CVE-2025-55284 [HIGH] CWE-78 Claude Code's Permissive Default Allowlist Enables Unauthorized File Read and Network Exfiltration in Claude Code
Claude Code's Permissive Default Allowlist Enables Unauthorized File Read and Network Exfiltration in Claude Code
Due to an overly broad allowlist of safe commands, it was possible to bypass the Claude Code confirmation prompts to read a file and then send file contents over the network without user confirmation. Reliably exploiting this requires the abi
ghsaosv
1 / 2Next →