Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack vector (AV:L), unprivileged local account sufficient (PR:L), privileged user must run /copy (UI:R), scope change (S:C) as symlink enables writes beyond the process's filesystem permission boundary, high confidentiality and integrity from credential disclosure and arbitrary file overwrite.
Primary rating from Vendor (https://github.com/anthropics/claude-code).
CVSS VectorVendor: https://github.com/anthropics/claude-code
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the /copy command.
Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.
Claude Code thanks hackerone.com/c_h4ck_0 for reporting this issue.
AnalysisAI
Insecure temporary file handling in Claude Code's /copy command exposes privileged users on multi-user systems to two distinct local attacks: passive response disclosure and symlink-based arbitrary file write. The command unconditionally writes AI response content to /tmp/claude/response.md - a static, world-readable path in a world-traversable directory - enabling any local user to read output that may contain secrets, credentials, or sensitive data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two conditions must hold simultaneously: (1) a local unprivileged attacker must have an interactive shell on the same host as the Claude Code user, and (2) a privileged user (e.g., root, or a user with access to sensitive credentials) must actively invoke the `/copy` command within Claude Code - general Claude Code usage without `/copy` does not trigger the vulnerable code path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is conditionally moderate-to-high, with the operative constraint being local access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with an unprivileged shell on a shared Linux development server pre-creates `/tmp/claude/` and plants a symlink at `/tmp/claude/response.md` pointing to `/home/admin/.ssh/authorized_keys`. When the server's administrator later uses Claude Code to generate and copy a configuration script via the `/copy` command, the Claude response text is written directly into the admin's authorized_keys file - either corrupting it (denial of SSH access) or injecting an attacker-controlled public key for persistent backdoor access. … |
| Remediation | The primary fix is upgrading `@anthropic-ai/claude-code` to version 2.1.128 or later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40116
GHSA-4vp2-6q8c-pvq2