CVE-2026-47091 Overview
CVE-2026-47091 is a path traversal vulnerability [CWE-22] in Claude HUD versions through 0.0.12. The flaw allows local attackers to read arbitrary files by supplying an unvalidated transcript_path value via stdin JSON. The vulnerable code accepts any path string and resolves it without canonicalization or allow-list checks. Any file readable by the process becomes accessible to the attacker. The tool also writes file metadata to a persistent cache with insufficient permissions, producing a forensic record of accessed paths that survives process exit. The maintainer patched the issue in commit 234d9aa.
Critical Impact
Local attackers supplying crafted stdin JSON can read arbitrary files accessible to the Claude HUD process and persist metadata about those reads in a world-readable cache.
Affected Products
- Claude HUD versions through 0.0.12
- src/transcript.ts transcript path handling component
- Fixed in commit 234d9aad919b51326a43bcf90b45ae35c23afc30
Discovery Timeline
- 2026-05-18 - CVE-2026-47091 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-47091
Vulnerability Analysis
Claude HUD reads JSON input from stdin and extracts a transcript_path field. The pre-patch code passes this value directly to fs.statSync and subsequent file read operations. No canonicalization, no allow-list, and no boundary check confines the path to a safe directory. An attacker controlling stdin can supply paths like ../../../../etc/passwd or absolute paths to any readable file. The process then reads the file and writes its metadata to a transcript cache file under the HUD plugin directory. Because the cache is written with insufficient permissions, other local users can enumerate which paths were accessed.
Root Cause
The root cause is missing input validation on the transcript_path parameter. The function readTranscriptFileState accepted any string and dereferenced it through filesystem APIs without resolving symlinks or verifying the canonical path stayed within an expected base directory.
Attack Vector
Exploitation requires local access and the ability to send JSON to the Claude HUD process via stdin. The attacker submits a JSON payload containing a transcript_path field pointing to a target file. Claude HUD reads the file and caches metadata about the access. The attack does not require elevated privileges beyond running the HUD process.
// Security patch in src/transcript.ts - introduces canonicalization
return path.join(getHudPluginDir(homeDir), 'transcript-cache', `${hash}.json`);
}
+function canonicalizeTranscriptPath(transcriptPath: string): string | null {
+ try {
+ return fs.realpathSync(transcriptPath);
+ } catch {
+ return null;
+ }
+}
+
function readTranscriptFileState(transcriptPath: string): TranscriptFileState | null {
try {
const stat = fs.statSync(transcriptPath);
// Source: https://github.com/jarrodwatts/claude-hud/commit/234d9aad919b51326a43bcf90b45ae35c23afc30
The patch adds canonicalizeTranscriptPath, which calls fs.realpathSync to resolve symlinks and produce the absolute on-disk path before further processing. A companion change in src/git.ts wraps branch names with encodeURIComponent to harden generated links.
Detection Methods for CVE-2026-47091
Indicators of Compromise
- Entries in the transcript-cache directory referencing paths outside expected project or workspace directories.
- Cache JSON files with metadata for sensitive paths such as /etc/passwd, SSH keys, or credential stores.
- Cache files with world-readable permissions exposing accessed file paths to other local users.
Detection Strategies
- Audit the Claude HUD plugin directory for cache entries whose transcript_path field points outside the user's project workspace.
- Inspect installed Claude HUD versions and flag any release at or below 0.0.12 as vulnerable.
- Monitor process telemetry for the HUD binary opening files unrelated to transcript data, particularly under /etc, ~/.ssh, or other sensitive paths.
Monitoring Recommendations
- Enable filesystem auditing on directories containing credentials and SSH keys to catch unexpected reads by the HUD process.
- Track stdin-driven invocations of Claude HUD and log the resolved transcript_path values for review.
- Alert on creation of new files in transcript-cache referencing absolute paths or sequences containing ../.
How to Mitigate CVE-2026-47091
Immediate Actions Required
- Upgrade Claude HUD to a release containing commit 234d9aa or later, which adds path canonicalization.
- Remove or restrict permissions on existing transcript-cache directories to prevent local enumeration of previously accessed paths.
- Restrict who can pipe stdin to the Claude HUD process on shared systems.
Patch Information
The fix is committed in GitHub commit 234d9aa and merged via pull request #487. Tracking discussion is in issue #485. Additional context is published in the VulnCheck Security Advisory.
Workarounds
- Run Claude HUD under a dedicated low-privilege user account that has no access to sensitive files beyond its workspace.
- Tighten permissions on the HUD plugin directory so the cache is readable only by the owning user.
- Avoid invoking Claude HUD with untrusted stdin sources until the patched version is deployed.
# Restrict cache directory permissions and verify patched version
chmod 700 ~/.claude-hud/transcript-cache
npm ls claude-hud
npm install claude-hud@latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
