CVE-2026-35603 in claude-codeinfo

Zusammenfassung

von MITRE • 18.04.2026

Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed. This issue has been fixed on version 2.1.75.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub M

Reservieren

03.04.2026

Veröffentlichung

18.04.2026

Moderieren

akzeptiert

Eintrag

VDB-358133

CPE

bereit

EPSS

0.00012

KEV

nein

Aktivitäten

very low

Sektor

Finance, Industry, ...

Quellen

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-35603
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-35603
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-35603/

ZurückÜbersichtWeiter

Might our Artificial Intelligence support you?

Check our Alexa App!