CVE-2025-59536

Published Oct 3, 2025

Last updated 7 months ago

CVSS high 8.7

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-59536 identifies a code injection vulnerability present in versions of Anthropic's Claude Code prior to 1.0.111. Claude Code is described as an agentic coding tool. The vulnerability stems from a flaw in the implementation of the startup trust dialog, which could allow the tool to execute code embedded within a project before a user explicitly accepts the trust dialog. Exploitation of this vulnerability typically requires a user to initiate Claude Code within an untrusted directory. Malicious project configurations, such as those leveraging "Hooks" or Model Context Protocol (MCP) servers, could be used to execute arbitrary shell commands or exfiltrate API keys when a developer opens untrusted repositories. The issue was addressed in version 1.0.111 of Claude Code.

Description
Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.111.
Source
security-advisories@github.com
NVD status
Analyzed
Products
claude_code

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-94

Social media

Hype score
Not currently trending

  1. AIコーディングエージェントが攻撃される本当の入口は、モデルではなく「設定ファイル」でした。 TrustFall・AWS Kiro・CVE-2025-59536 を題材に整理して、対策に作ったツール Sigil も紹介しています。|Justin https://t

    @ju571nK

    23 May 2026

    333 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. Claude Code Security Vulnerabilities: CVE-2025-59536 & CVE-2026-21852 Analysis Critical vulnerabilities in Claude Code enable remote code execution and API key theft via malicious repository configurations. Analysis of three developer ... Written from an engineering perspect

    @Claudecode_JPEE

    10 May 2026

    243 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    2 Replies

    0 Quotes

  3. Claude Code脆弱性分析:RCE と API認証情報露出リスク Check Point Researchが報告したClaude Codeの重大脆弱性(CVE-2025-59536、CVE-2026-21852)は、リポジトリ設定を悪用したリモートコード実行とAPI認証情報窃取を可能にする

    @Claudecode_JPJE

    10 May 2026

    271 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. TrustFall lands. CVE-2026-26268 plus the Claude Code RCE chain (CVE-2025-59536, CVE-2026-21852, CVE-2026-33068). One Enter keypress auto-approves a malicious .mcp.json across Claude Code, Cursor CLI, Gemini CLI, and GitHub Copilot CLI. Translation: every default-trust agent CLI

    @musiol_martin

    10 May 2026

    317 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CW: One-click RCE in AI CLI tools CVE-2025-59536 allows remote code execution in Claude Code CLI v2.1.114 when a developer accepts the default "Yes, I trust this folder" prompt in a malicious directory. The attack exploits permissive project-scoped settings like

    @byte_guard_blog

    8 May 2026

    295 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2026-24887. CVE-2026-21852. CVE-2025-59536. Three Claude Code RCEs in 60 days, all weaponized faster after Anthropic shipped the full source map in a public npm bundle on March 31. The SaaS surface IS the threat surface. Self-hosted Claude Code behind strict allowlists kills

    @musiol_martin

    7 May 2026

    276 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. AIコーディングエージェントの脆弱性が開発現場に突きつけた問題は、単純なパッチ適用で済む話ではない。 Anthropic Claude Codeに見つかった3件の脆弱性は、2025年にCheck Pointの研究者が発見したもので、CVE-2025-59

    @nabinno

    5 May 2026

    265 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. CVE-2025-59536 + CVE-2026-21852: Claude Code <2.0.65 lets a repo config file silently run shell commands and exfiltrate your API key via Hooks/MCP. Patch is in 2.0.65. Self-hosted with strict allowlists kills the whole class. https://t.co/mE4uAPCm83

    @musiol_martin

    4 May 2026

    142 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Claude Codeで要確認:不審なリポジトリを開くだけで任意コードが実行される脆弱性(CVE-2025-59536, CVSS 8.7)。.claude/settings.jsonのHooks設定に悪意あるコマンドを注入する攻撃で、CI/CDに組み込まれていると組織全体

    @aidriven1234

    1 May 2026

    139 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. BREAKING: Four flaws in Anthropic Claude Code (CVE-2026-33068, CVE-2026-25723, CVE-2026-21852, CVE-2025-59536) enable trust bypass, arbitrary file writes and API key exfiltration in unpatched versions. https://t.co/7f7r9c7YTt

    @threatcluster

    30 Apr 2026

    115 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Check Point research: Claude Code, OpenAI Codex and Cursor can execute commands from benign-looking config files (CVE-2025-59536, CVE-2025-61260, CVE-2025-54136). Key vectors: lifecycle hooks, .env overrides, plugin-name trust. #AIsecurity #CVE https://t.co/PTpj5CtsRF

    @hasamba

    28 Apr 2026

    247 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 悪意あるリポジトリをクローンするだけでRCEとAPIキー窃取が起きるClaude Code脆弱性(CVE-2025-59536/CVE-2026-21852)が発見・修正済み。根本原因は.claude/settings.jsonがリポジトリ内に存在すること。信頼できないリポジ

    @aidriven1234

    26 Apr 2026

    178 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  13. 8,000 MCP servers exposed on the public internet. Trend Micro + Bitsight: 492 with zero auth, zero encryption. BlueRock: 36.7% of MCP servers potentially SSRF-vulnerable. Anthropic Claude Code shipped with MCP consent bypass (CVE-2025-59536).

    @uwillc

    24 Apr 2026

    160 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  14. Top 5 Trending CVEs: 1 - CVE-2026-25253 2 - CVE-2026-3888 3 - CVE-2026-40372 4 - CVE-2025-59536 5 - CVE-2026-26144 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    23 Apr 2026

    194 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  15. Claude Code hooks で clone+open だけで RCE (CVE-2025-59536, CVSS 8.7)。 リポに .claude/ を置く慣習 = contributor に即RCE権を渡す構造。 #AIセキュリティ #ClaudeCode #CVE

    @FFuchi93304

    23 Apr 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  16. Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 - Aviv Donenfeld and Oded Vanunu https://t.co/ne7IicPoHh

    @pentest_swissky

    11 Apr 2026

    1686 Impressions

    7 Retweets

    17 Likes

    13 Bookmarks

    0 Replies

    0 Quotes

  17. Your .json config files are execution vectors now. Claude Code CVE-2025-59536 proved it — malicious hooks in settings.json trigger RCE the moment you open a project. No click required.

    @aiithingsai

    8 Apr 2026

    141 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. Claude情報漏洩を受けて、AI利用企業が月曜の朝イチでやるべき3つのアクション。 ① Claude Codeのバージョン確認 claude --version でv2.0.65以上か確認。未満なら即アップデート。CVE-2025-59536は悪意あるリポジトリを

    @oishillc

    6 Apr 2026

    171 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  19. 在陌生 repo 跑 Claude Code,API 金鑰可能已洩漏。 Check Point 披露 CVE-2025-59536(任意命令執行)+ CVE-2026-21852(密鑰外滲),攻擊鏈全程無感知,Anthropic 未有修復時間表。 vibe coding 用戶每天都咁做——邊緣場景定日

    @TechPulseHK

    2 Apr 2026

    112 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Check Pointが公開したCVE-2025-59536 (CVSS 8.7)。Claude CodeのHook設定に悪意あるコードを仕込んだリポ。開発者がcloneしてプロジェクトを開くだけでRCE + APIキー漏洩。

    @shun_aidev

    30 Mar 2026

    178 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. 1️⃣ About Claude Code vulnerabilities (CVE-2025-59536, CVE-2026-21852) : the attack surface no longer exists at the code execution layer alone. It has migrated upward into the configuration and initialization layers that govern how AI assistants interact with infrastructure b

    @francescofaenzi

    30 Mar 2026

    141 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    1 Quote

  22. ⚠️ "Vibe coding" is the new buzzword for 2026. But nobody is talking about the massive security timebomb it just created. Just weeks ago, Check Point Research exposed a critical vulnerability (CVE-2025-59536) in Anthropic’s Claude Code. Right now, founders are pushing

    @adarshk27r

    24 Mar 2026

    157 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  23. MCP関連のCVEが3月だけで立て続けに出てる。整理する。 ① CVE-2026-26118(Azure MCP Server) - SSRF → managed identity token窃取 → Azure全リソースへの権限昇格 - CVSS 8.8。3/10パッチ済み ② CVE-2025-59536(Claude Code) - プロジ

    @shun_aidev

    19 Mar 2026

    167 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. 毎日使ってるClaude Codeに重大な脆弱性が2件見つかった(修正済み)。 CVE-2025-59536: プロジェクトファイル経由のRCE CVE-2026-21852: ANTHROPIC_BASE_URLの上書きによるAPIキー漏洩 攻撃シナリオがリアル。 悪意あるリポ

    @shun_aidev

    19 Mar 2026

    249 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. 30+ Schwachstellen in Cursor, Copilot, Windsurf & Claude Code (IDEsaster-Forschung, Dez. 2025). Kein KI-Coding-Tool ist sicher. CVE-2025-59536 (CVSS 8.7): Repo klonen reicht für RCE. Patches existieren — aber wer prüft Versions-Inventare? 👇 #KI #CyberSecurity #DevS

    @OptimusflowC

    18 Mar 2026

    81 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. Recent #ClaudeCode vulnerabilities (CVE-2025-59536, CVE-2026-21852) show why the AI supply chain begins with the automation layer. Configuration files like .claude/settings.json are now part of the execution layer. Authority must be deterministic. 🛡️🦾 https://t.co/PGucc61

    @PermissionPrtcl

    17 Mar 2026

    150 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  27. #Cybernews 🚨💻 Las #Vulnerabilidades ⚠️, registradas como CVE-2025-59536 🆔 y CVE-2026-21852 🆔, podían activarse simplemente al #Clonar 🔁 y abrir 📂 un proyecto no confiable 🚫, sin necesidad de ejecutar código explícito 🧩 ni realizar acciones adicional

    @totalcybersec

    10 Mar 2026

    219 Impressions

    2 Retweets

    6 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  28. 🚨 CYBERDUDEBIVASH SENTINEL APEX ALERT 🚨 Threat: Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 Intel Report: https://t.co/1U7gyRBUzM

    @cyberbivash

    9 Mar 2026

    97 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. check point found 2 flaws in claude code — anthropic's AI dev tool. CVE-2025-59536: open a project → code runs before you click "trust." CVE-2026-21852: repo configs silently redirect your API keys to the attacker. clone the wrong repo. your AI tool is the backdoor.

    @The_Agent_Econ

    8 Mar 2026

    104 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. 🚨 CYBERDUDEBIVASH SENTINEL APEX ALERT 🚨 Threat: Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852 Intel Report: https://t.co/tL4HD8m3Hz

    @cyberbivash

    3 Mar 2026

    109 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. Claude Codeの設定ファイルが攻撃面に不正リポジトリでRCEとAPIキー窃取が成立した脆弱性(CVE-2025-59536/CVE-2026-21852) https://t.co/Vs50pJ5SIK #セキュリティ対策Lab #セキュリティ #Security #CybersecurityNews #AINews

    @securityLab_jp

    3 Mar 2026

    183 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. Vulnerabilities (CVE-2025-59536, CVE-2026-21852) in Anthropic Claude Code https://t.co/k7E25uyOfG

    @ninp0

    2 Mar 2026

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. Claude Code มีช่องโหว่ เปิดทางแฮกเกอร์รันคำสั่ง-ขโมย API Key ได้เงียบๆ https://t.co/8UxH8udJWf CVE-2025-59536, CVE-2026-21852

    @ohmohm

    2 Mar 2026

    50 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  34. AI dev tool security alert. @claudeai Code vulnerabilities enabled: • Remote Code Execution • MCP consent bypass (CVE-2025-59536) • API key exfiltration (CVE-2026-21852) Reported by Check Point Research. Fully patched by Anthropic. Config files = potential execution vectors

    @TechNadu

    28 Feb 2026

    188 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  35. Report #2026-02-28-01: Claude Code flaws (CVE-2025-59536, CVE-2026-21852) enabled RCE + API token exfiltration via untrusted project files. Impact: HIGH. Source: https://t.co/rX49vfvl2V

    @elagentecapital

    28 Feb 2026

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  36. ผู้เชี่ยวชาญพบช่องโหว่ใน Anthropic Claude Code สามารถใช้ขโมยข้อมูลสำคัญ https://t.co/lVmqUC83TT CVE-2025-59536

    @ohmohm

    28 Feb 2026

    122 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  37. 「リポジトリをクローンして開いただけで APIキーが盗まれる」 セキュリティ企業Check Pointが Claude Codeに重大な脆弱性2件を発見・報告。 CVE-2025-59536 CVE-2026-21852 2件とも公開前にAnthropicが修正済みです🔐 ど

    @Claudia_AiLab

    27 Feb 2026

    109 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  38. Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 https://t.co/JmrQo0t4X7 #machinelearning #ai

    @eyalestrin

    27 Feb 2026

    66 Impressions

    1 Retweet

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  39. 🚀 Top 10 AI & Dev News of the Day! 🧵👇 🚨 Claude Code RCE Flaws: Check Point Research discovered critical vulnerabilities (like CVE-2025-59536) in Claude Code that allow remote code execution and API key theft simply by opening malicious repositories. https://t.co/

    @jiayun

    27 Feb 2026

    152 Impressions

    1 Retweet

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  40. 🚀 Top 10 AI & Dev News of the Day! 🧵👇 🚨 Claude Code RCE Flaws: Check Point Research discovered critical vulnerabilities (like CVE-2025-59536) in Claude Code that allow remote code execution and API key theft simply by opening malicious repositories. https://t.co/

    @jiayun

    27 Feb 2026

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. Top 5 Trending CVEs: 1 - CVE-2026-25253 2 - CVE-2026-20127 3 - CVE-2025-59536 4 - CVE-2026-27509 5 - CVE-2026-27739 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    27 Feb 2026

    246 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. The Claude Code RCE vulnerability (CVE-2025-59536) is a perfect case study for why agentic AI needs security-first architecture. Giving AI agents shell access without proper sandboxing is like handing out root keys to your infrastructure. Every team deploying coding agents should

    @StephanFerraro

    27 Feb 2026

    79 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    2 Replies

    0 Quotes

  43. ⚠️Check PointがClaude Codeの重大脆弱性を公開 The Hacker Newsでも報道されました 内容はかなり深刻で ・悪意あるリポジトリを開くだけ ・RCE(Remote Code Execution=外部から任意コード実行)可能 ・APIキー盗

    @onumaro92

    26 Feb 2026

    210 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  44. Check Point disclosed critical Claude Code vulnerabilities yesterday (CVE-2025-59536, CVE-2026-21852). Three attack vectors, all execution before trust dialogs. RCE via hooks: Malicious .claude/settings.json executes shell commands on SessionStart. Clone poisoned repo, run

    @ManfredMancxx

    26 Feb 2026

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. 🚨 Critical RCE in Code: How Attackers Can Hijack #AI Assistants and Steal API Keys (#CVE-2025-59536 & #CVE-2026-21852) + Video https://t.co/aOkUZKfrk5 Educational Purposes!

    @UndercodeUpdate

    26 Feb 2026

    49 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  46. I hacked Claude Code! It turns out "agentic" is just a fancy new way to get a shell. I achieved full RCE and hijacked organization API keys. CVE-2025-59536 | CVE-2026-21852 https://t.co/GymKzaM1wp #ai #Claude

    @Od3dV

    26 Feb 2026

    60136 Impressions

    102 Retweets

    470 Likes

    334 Bookmarks

    6 Replies

    13 Quotes

  47. Critical vulnerabilities, CVE-2025-59536 and CVE-2026-21852, in Anthropic’s Claude Code enabled remote code execution and API key theft through malicious repository-level configuration files, triggered simply by cloning and opening an untrusted project https://t.co/nXlrDqdhgK h

    @blackorbird

    26 Feb 2026

    2078 Impressions

    9 Retweets

    21 Likes

    8 Bookmarks

    0 Replies

    0 Quotes

  48. What dropped today (while these clowns are still selling unsecured garbage bots that get your account nuked): • Claude Code Config Bypass/CVE-2025-59536 + CVE-2026-21852 lets attackers RCE your dev box and steal API keys just by cloning a poisoned repo — disclosed Feb 25, 20

    @Double00Kevin

    26 Feb 2026

    62 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  49. Anthropic社のAI「Claude Code」において、リモートでコードが実行される可能性のある深刻な脆弱性が発見されました。この問題は、CVE-2025-59536およびCVE-2026-21852として追跡されています。

    @omomuki_tech

    26 Feb 2026

    75 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  50. Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration - https://t.co/yCtHWMfO00 • Critical vulnerabilities, CVE-2025-59536 and CVE-2026-21852, in Anthropic’s Claude Code enabled remote code execution and API key theft through malicious repository-level https

    @AISecHub

    26 Feb 2026

    1660 Impressions

    3 Retweets

    26 Likes

    13 Bookmarks

    2 Replies

    0 Quotes

Configurations

Related CVEs

  1. In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code to bypass its trust confirmation dialog and immediately execute hooks defined in `.claude/settings.json`. Exploitation requires the victim to clone the malicious repository and run Claude Code within it, and the attacker must know or guess a path the victim had already trusted. This issue has been fixed in version 2.1.84.CVE-2026-40068
  2. Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace without prompting the user for confirmation. This allowed a sandbox escape where neither the sandboxed command nor the unsandboxed app could independently write outside the workspace, but their combination could write to arbitrary locations, potentially leading to code execution outside the sandbox. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection. Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to version 2.1.64 or later.CVE-2026-39861
  3. Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed. This issue has been fixed on version 2.1.75.CVE-2026-35603
  4. Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.CVE-2026-33068
  5. Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.CVE-2026-25725

References

Sources include official advisories and independent security research.