Skip to main content

Claude Code CVE-2026-46406

| EUVDEUVD-2026-40116 MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2026-06-25 https://github.com/anthropics/claude-code GHSA-4vp2-6q8c-pvq2
4.4
CVSS 4.0 · Vendor: https://github.com/anthropics/claude-code
Share

Severity by source

Vendor (https://github.com/anthropics/claude-code) PRIMARY
4.4 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.9 HIGH

Local attack vector (AV:L), unprivileged local account sufficient (PR:L), privileged user must run /copy (UI:R), scope change (S:C) as symlink enables writes beyond the process's filesystem permission boundary, high confidentiality and integrity from credential disclosure and arbitrary file overwrite.

3.1 AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/anthropics/claude-code).

CVSS VectorVendor: https://github.com/anthropics/claude-code

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 29, 2026 - 15:22 NVD
4.4 (MEDIUM)
Source Code Evidence Fetched
Jun 25, 2026 - 17:25 vuln.today
Analysis Generated
Jun 25, 2026 - 17:25 vuln.today

DescriptionCVE.org

The Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the /copy command.

Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.

Claude Code thanks hackerone.com/c_h4ck_0 for reporting this issue.

AnalysisAI

Insecure temporary file handling in Claude Code's /copy command exposes privileged users on multi-user systems to two distinct local attacks: passive response disclosure and symlink-based arbitrary file write. The command unconditionally writes AI response content to /tmp/claude/response.md - a static, world-readable path in a world-traversable directory - enabling any local user to read output that may contain secrets, credentials, or sensitive data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain unprivileged shell on shared host
Delivery
Pre-create /tmp/claude/ and plant symlink at response.md
Exploit
Wait for privileged user to invoke /copy command
Execution
Claude process follows symlink during file write
Impact
Attacker reads harvested credentials or achieves arbitrary privileged file overwrite

Vulnerability AssessmentAI

Exploitation Two conditions must hold simultaneously: (1) a local unprivileged attacker must have an interactive shell on the same host as the Claude Code user, and (2) a privileged user (e.g., root, or a user with access to sensitive credentials) must actively invoke the `/copy` command within Claude Code - general Claude Code usage without `/copy` does not trigger the vulnerable code path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is conditionally moderate-to-high, with the operative constraint being local access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker with an unprivileged shell on a shared Linux development server pre-creates `/tmp/claude/` and plants a symlink at `/tmp/claude/response.md` pointing to `/home/admin/.ssh/authorized_keys`. When the server's administrator later uses Claude Code to generate and copy a configuration script via the `/copy` command, the Claude response text is written directly into the admin's authorized_keys file - either corrupting it (denial of SSH access) or injecting an attacker-controlled public key for persistent backdoor access. …
Remediation The primary fix is upgrading `@anthropic-ai/claude-code` to version 2.1.128 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy