Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46406

CVE-2026-46406: Claude Code Privilege Escalation Flaw

CVE-2026-46406 is a privilege escalation vulnerability in Anthropic Claude Code allowing local attackers to read sensitive data or overwrite files. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-46406 Overview

CVE-2026-46406 affects Anthropic Claude Code, an agentic coding tool distributed as a Node.js package. Versions from 2.1.59 through 2.1.127 implement the /copy command by writing responses to a hardcoded path at /tmp/claude/response.md. The implementation omits user identifier (UID) isolation, filename randomness, and symbolic link protections. The output file is created world-readable with mode 0644 inside a world-traversable directory with mode 0755. A local unprivileged user can read another user's Claude responses or plant a symlink to redirect writes. Anthropic addressed the issue in version 2.1.128.

Critical Impact

Local attackers can read sensitive Claude Code responses containing secrets or credentials, and can hijack the predictable output path via symlink to overwrite arbitrary files owned by a privileged Claude Code user.

Affected Products

  • Anthropic Claude Code versions 2.1.59 through 2.1.127
  • Node.js distributions of the claude_code package
  • Multi-user systems where privileged accounts execute the /copy command

Discovery Timeline

  • 2026-06-29 - CVE-2026-46406 published to NVD
  • 2026-06-30 - Last updated in NVD database

Technical Details for CVE-2026-46406

Vulnerability Analysis

The flaw is a symbolic link following weakness classified under [CWE-59]. The /copy command in Claude Code writes generated output to a static, predictable filesystem path in a shared temporary directory. Because /tmp/claude/ is created without per-UID separation and remains world-traversable, any local account can enumerate and read the response file. The permissions applied to response.md (0644) grant read access to every local user, exposing content that may contain API keys, tokens, source code, or other privileged material handled by the agent.

The second attack path leverages the predictability of the output location. A local unprivileged attacker can pre-create /tmp/claude/ and place a symlink at response.md pointing to any file writable by the privileged user. When the privileged user later runs /copy, the process follows the symlink and overwrites the target with the response content. This enables destruction or corruption of files belonging to the privileged account.

Root Cause

The root cause is insecure temporary file handling. The command hardcodes both the directory and filename, skips O_NOFOLLOW-equivalent open flags, and does not verify ownership or link status before writing. Combined with permissive default file modes, these choices break isolation on multi-user hosts.

Attack Vector

Exploitation requires local access with an unprivileged account plus a separate privileged user who executes the /copy command. The attacker either reads /tmp/claude/response.md after the privileged user writes to it, or pre-plants /tmp/claude/response.md as a symlink so the next /copy invocation overwrites an attacker-selected file path.

No verified public exploit code is available. See the GitHub Security Advisory GHSA-4vp2-6q8c-pvq2 for vendor technical details.

Detection Methods for CVE-2026-46406

Indicators of Compromise

  • Presence of /tmp/claude/ created by an unprivileged UID before a privileged user runs /copy
  • response.md existing as a symbolic link rather than a regular file inside /tmp/claude/
  • Unexpected modification timestamps on files owned by users who run Claude Code, particularly configuration or credential files
  • Claude Code process activity from users running versions between 2.1.59 and 2.1.127

Detection Strategies

  • Audit installed Claude Code versions across endpoints and flag any release older than 2.1.128
  • Monitor file creation events in /tmp/claude/ and alert when the directory owner differs from the user executing Claude Code
  • Use filesystem auditing (Linux auditd, macOS Endpoint Security) to log open() and symlink() operations targeting /tmp/claude/response.md

Monitoring Recommendations

  • Ingest process execution telemetry for the claude binary and correlate with subsequent writes to /tmp/claude/
  • Alert on symlink creation in world-writable directories that reference files inside user home directories or credential stores
  • Track privileged user sessions that invoke /copy on shared or multi-tenant hosts

How to Mitigate CVE-2026-46406

Immediate Actions Required

  • Upgrade Claude Code to version 2.1.128 or later on every system where it is installed
  • Restrict Claude Code usage to single-user workstations until the upgrade is verified
  • Remove any stale /tmp/claude/ directory and inspect its contents for leaked response data
  • Rotate secrets or credentials that may have been processed by /copy on shared systems

Patch Information

Anthropic fixed the vulnerability in Claude Code version 2.1.128. The fix removes the predictable path pattern and applies safer file handling. Full details are published in the GitHub Security Advisory GHSA-4vp2-6q8c-pvq2.

Workarounds

  • Avoid running the /copy command on multi-user systems until patched
  • Pre-create /tmp/claude/ owned by the privileged user with mode 0700 to block unprivileged writes and symlink planting
  • Configure TMPDIR to a per-user private directory for the account running Claude Code so temporary files land outside world-traversable locations
bash
# Configuration example: create a private temp directory for Claude Code
umask 077
mkdir -p "$HOME/.private-tmp/claude"
chmod 700 "$HOME/.private-tmp" "$HOME/.private-tmp/claude"
export TMPDIR="$HOME/.private-tmp"

# Verify installed version is patched
claude --version   # expect 2.1.128 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.