Skip to main content

Microsoft CVE-2026-35603

| EUVDEUVD-2026-23520 MEDIUM
Untrusted Search Path (CWE-426)
2026-04-17 GitHub_M GHSA-5cwg-9f6j-9jvx
5.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 18:45 nvd
Patch available
Analysis Generated
Apr 17, 2026 - 23:48 vuln.today
Patch available
Apr 17, 2026 - 21:16 EUVD
EUVD ID Assigned
Apr 17, 2026 - 20:45 euvd
EUVD-2026-23520
Analysis Generated
Apr 17, 2026 - 20:45 vuln.today
CVE Published
Apr 17, 2026 - 20:38 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed. This issue has been fixed on version 2.1.75.

AnalysisAI

Claude Code prior to version 2.1.75 on Windows allows low-privileged local users to execute arbitrary code by placing a malicious configuration file in an unprotected shared directory (C:\ProgramData\ClaudeCode\managed-settings.json). The vulnerability exploits the default writability of ProgramData to non-administrative users and the absence of directory ownership validation, enabling privilege escalation or lateral impact when a victim user subsequently launches the application. This requires local system access and user interaction (launching Claude Code), limiting real-world impact to shared multi-user systems.

Technical ContextAI

Claude Code is an agentic development tool that loads system-wide configuration from a fixed path in ProgramData, a shared Windows directory intended for application data accessible to all users. The root cause (CWE-426: Untrusted Search Path) stems from loading configuration without verifying that the containing directory is owned and controlled by trusted entities. By default, ProgramData allows write access to non-administrative accounts, and Claude Code did not pre-create the ClaudeCode subdirectory with restricted permissions. An attacker can create this directory and place a malicious managed-settings.json, which Claude Code then loads without ownership validation. The CVSS vector (AV:L/AC:L/PR:L) confirms this is a local privilege escalation requiring low-privilege account access and low attack complexity, though AT:P (attack timing requiring user interaction) and UI:P (user must launch the tool) constrain exploitability.

RemediationAI

The primary fix is to upgrade Claude Code to version 2.1.75 or later on all affected Windows systems. Users should ensure they run the latest version from the official Anthropics distribution channels and verify the update applies to their Windows installation. No workarounds are documented for pre-2.1.75 versions; however, as a compensating control on shared systems, administrators can manually create the C:\ProgramData\ClaudeCode directory with restricted ACLs (modifiable only by SYSTEM and Administrators) before users launch Claude Code, preventing non-administrative users from placing malicious configuration files. This control has the trade-off of requiring pre-deployment steps and ongoing verification. Alternatively, restricting write access to ProgramData itself (via Group Policy) is effective but may break other applications expecting standard ProgramData permissions. See https://github.com/anthropics/claude-code/security/advisories/GHSA-5cwg-9f6j-9jvx for patch confirmation and installation guidance.

Share

CVE-2026-35603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy