Anthropics Claude-Code vulnerabilities
29 known vulnerabilities affecting anthropics/claude-code.
Total CVEs
29
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL12HIGH12MEDIUM5
Vulnerabilities
Page 2 of 2
CVE-2025-55284P3HIGHCVSS 7.5fixed in 1.0.42025-08-16
CVE-2025-55284 [HIGH] CWE-78 CVE-2025-55284: Claude Code is an agentic coding tool. Prior to version 1.0.4, it's possible to bypass the Claude Co
Claude Code is an agentic coding tool. Prior to version 1.0.4, it's possible to bypass the Claude Code confirmation prompts to read a file and then send file contents over the network without user confirmation due to an overly broad allowlist of safe commands. Reliably exploiting this requires the ability to add untrusted content into a Claude Code con
nvd
CVE-2026-44470P3HIGHCVSS 7.8fixed in 1.3834.02026-05-13
CVE-2026-44470 [HIGH] CWE-59 CVE-2026-44470: The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple s
The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real directory or an NTFS directory junction before creating files within it. A
nvd
CVE-2026-24052P3HIGHCVSS 7.4fixed in 1.0.1112026-02-03
CVE-2026-24052 [HIGH] CWE-601 CVE-2026-24052: Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient
Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this could have enabled attackers to register do
nvd
CVE-2026-25723P3MEDIUMCVSS 6.5fixed in 2.0.552026-02-06
CVE-2026-25723 [MEDIUM] CWE-20 CVE-2026-25723: Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly valid
Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope. Exploiting thi
nvd
CVE-2026-24053P3MEDIUMCVSS 6.5fixed in 2.0.742026-02-03
CVE-2026-24053 [MEDIUM] CWE-22 CVE-2026-24053: Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation fla
Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted conte
nvd
CVE-2026-35603P3HIGHCVSS 7.3fixed in 2.1.752026-04-17
CVE-2026-35603 [HIGH] CWE-426 CVE-2026-35603: Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded th
Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by default and the ClaudeCod
nvd
CVE-2026-44467P3MEDIUMCVSS 6.8v>= 1.2581.0, < 1.4304.02026-05-13
CVE-2026-44467 [MEDIUM] CWE-297 CVE-2026-44467: The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple s
The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname existed in ~/.ssh/known_hosts without comparing the server's presented host key against the stored key. This allow
nvd
CVE-2025-59829P3MEDIUMCVSS 6.5fixed in 1.0.1202025-10-03
CVE-2025-59829 [MEDIUM] CWE-61 CVE-2025-59829: Claude Code is an agentic coding tool. Versions below 1.0.120 failed to account for symlinks when ch
Claude Code is an agentic coding tool. Versions below 1.0.120 failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to that file, it was possible for Claude Code to access the file. Users on standard Claude Code auto-update will hav
nvd
CVE-2026-46406P4MEDIUMCVSS 6.1v>= 2.1.59, < 2.1.1282026-06-29
CVE-2026-46406 [MEDIUM] CWE-59 CVE-2026-46406: Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wro
Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privil
nvd
← Previous2 / 2