PT-2026-52581 · Anthropic · Claude-Code
Published
2026-06-25
·
Updated
2026-06-29
·
CVE-2026-46406
CVSS v4.0
4.4
Medium
| Vector | AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
@anthropic-ai/claude-code versions 2.1.59 through 2.1.127
Description
The
/copy command writes responses to a hardcoded and predictable path /tmp/claude/response.md without UID isolation, randomness, or symlink protection. The resulting file is created with world-readable permissions (0644) within a world-traversable directory (0755). This allows any local unprivileged user to read responses generated by a privileged user, potentially exposing secrets, credentials, or API tokens. Furthermore, a local attacker can plant a symbolic link (symlink) at the predictable path, causing the privileged process to follow the link and overwrite an arbitrary system file with the response content, which could lead to privilege escalation or system compromise.Recommendations
Update @anthropic-ai/claude-code to version 2.1.128.
Fix
Link Following
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Claude-Code