Anthropic-Ai Claude-Code vulnerabilities
26 known vulnerabilities affecting anthropic-ai/claude-code.
Total CVEs
26
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH20MEDIUM4LOW2
Vulnerabilities
Page 2 of 2
CVE-2026-24052P3HIGH≥ 0, < 1.0.1112026-02-03
CVE-2026-24052 [HIGH] CWE-601 Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains
Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains
Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a `startsWith()` function to validate trusted domains (e.g., `docs.python.org`, `modelcontextprotocol.io`), this could
ghsaosv
CVE-2026-25723P3HIGH≥ 0, < 2.0.552026-02-06
CVE-2026-25723 [HIGH] CWE-20 Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions
Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions
Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope
ghsaosv
CVE-2026-24053P3HIGH≥ 0, < 2.0.742026-02-03
CVE-2026-24053 [HIGH] CWE-22 Claude Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes
Claude Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes
Due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted c
ghsaosv
CVE-2026-35603P3MEDIUM≥ 0, < 2.1.752026-04-17
CVE-2026-35603 [MEDIUM] CWE-426 Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows
Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows
On Windows, Claude Code loaded system-wide default configuration from `C:\ProgramData\ClaudeCode\managed-settings.json` without validating directory ownership or access permissions. Because the `ProgramData` directory is writable by non-administrative users by de
ghsa
CVE-2025-59829P3LOW≥ 0, < 1.0.1202025-10-03
CVE-2025-59829 [LOW] CWE-61 Claude Code permission deny bypass through symlink
Claude Code permission deny bypass through symlink
Claude Code failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to that file, it was possible for Claude Code to access the file.
Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates
ghsaosv
CVE-2026-46406P4MEDIUM≥ 2.1.59, < 2.1.1282026-06-25
CVE-2026-46406 [MEDIUM] CWE-59 @anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write
@anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write
The Claude Code `/copy` command wrote responses to a hardcoded, predictable path (`/tmp/claude/response.md`) without UID isolation, randomness, or symlink protection. The file was created world-re
ghsa
← Previous2 / 2