Anthropic-Ai Claude-Code vulnerabilities

CVE-2026-39861 [HIGH] CWE-22 Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outsi

CVE-2026-35603 [MEDIUM] CWE-426 Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows On Windows, Claude Code loaded system-wide default configuration from `C:\ProgramData\ClaudeCode\managed-settings.json` without validating directory ownership or access permissions. Because the `ProgramData` directory is writable by non-administrative users by de

CVE-2026-33068 [HIGH] CWE-807 Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File Claude Code resolved the permission mode from settings files, including the repo-controlled `.claude/settings.json`, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set `permissions.defaultMode` to `bypassPermissions` in its committed `.claude/s

CVE-2026-25722 [HIGH] CWE-20 Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the `cd` command to navigate into sensitive directories like `.claude`, it was possible to bypass write protection and create or modify files without user confirma

CVE-2026-25723 [HIGH] CWE-20 Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope

CVE-2026-25725 [HIGH] CWE-501 Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, setting

CVE-2026-25724 [LOW] CWE-285 Claude Code has Permission Deny Bypass Through Symbolic Links Claude Code has Permission Deny Bypass Through Symbolic Links Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the sym

CVE-2026-24052 [HIGH] CWE-601 Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a `startsWith()` function to validate trusted domains (e.g., `docs.python.org`, `modelcontextprotocol.io`), this could

CVE-2026-24053 [HIGH] CWE-22 Claude Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes Claude Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes Due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted c

CVE-2026-24887 [HIGH] CWE-78 Claude Code has a Command Injection in find Command Bypasses User Approval Prompt Claude Code has a Command Injection in find Command Bypasses User Approval Prompt Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code au

CVE-2026-21852 [MEDIUM] CWE-522 Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation A vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPI

CVE-2025-66032 [HIGH] CWE-20 Claude Code Command Validation Bypass Allows Arbitrary Code Execution Claude Code Command Validation Bypass Allows Arbitrary Code Execution Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update hav

CVE-2025-64755 [HIGH] CWE-78 @anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes @anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes Due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised

CVE-2025-65099 [HIGH] CWE-94 Claude Code vulnerable to command execution prior to startup trust dialog Claude Code vulnerable to command execution prior to startup trust dialog When using Claude Code with Yarn installed, Yarn config files can trigger code execution when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins and yarnPath could be executed prior to the user accepting the risks of working in an untrusted directory. Users on sta

CVE-2025-59536 [HIGH] CWE-94 Claude Code can execute commands prior to the startup trust dialog Claude Code can execute commands prior to the startup trust dialog Due to a bug in the startup trust dialog implementation, Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatic

CVE-2025-59829 [LOW] CWE-61 Claude Code permission deny bypass through symlink Claude Code permission deny bypass through symlink Claude Code failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to that file, it was possible for Claude Code to access the file. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates

CVE-2025-59828 [HIGH] CWE-829 Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions When using Claude Code with Yarn installed, Yarn config files can trigger code execution when running `yarn --version`. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins and `yarnPath` could be executed prior to the user accepting

CVE-2025-59041 [HIGH] CWE-78 Claude Code vulnerable to arbitrary code execution caused by maliciously configured git email Claude Code vulnerable to arbitrary code execution caused by maliciously configured git email At startup, Claude Code constructed a shell command that interpolated the value of `git config user.email` from the current workspace. If an attacker controlled the repository’s Git config (e.g., via a malicious `.git/config`) and set `user.email` to a crafted payload, the unescape

CVE-2025-58764 [HIGH] CWE-94 Claude Code rg vulnerability does not protect against approval prompt bypass Claude Code rg vulnerability does not protect against approval prompt bypass Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update will have received this

CVE-2025-55284 [HIGH] CWE-78 Claude Code's Permissive Default Allowlist Enables Unauthorized File Read and Network Exfiltration in Claude Code Claude Code's Permissive Default Allowlist Enables Unauthorized File Read and Network Exfiltration in Claude Code Due to an overly broad allowlist of safe commands, it was possible to bypass the Claude Code confirmation prompts to read a file and then send file contents over the network without user confirmation. Reliably exploiting this requires the abi