Claude Code is an agentic coding tool developed by anthropics that allows users to automate coding tasks. Prior to version 2.1.7, Claude Code improperly enforced deny rules specified in its settings.json configuration when accessing files via symbolic links. Specifically, if a user denied access to a sensitive file such as /etc/passwd, Claude Code would still be able to read that file if accessed through a symlink pointing to it. This occurs because the tool fails to resolve and enforce deny rules on the target of the symlink, effectively bypassing access restrictions. The vulnerability is classified under CWE-61 (Improper Handling of Symbolic Links) and CWE-285 (Improper Authorization). The CVSS 4.0 base score is 2.3, reflecting low severity due to the need for user interaction and limited confidentiality impact. The flaw does not require privileges but does require the user to initiate the action that triggers the file access. The issue was publicly disclosed and patched on February 6, 2026, with no known active exploits. This vulnerability could allow unauthorized reading of sensitive files, potentially exposing system or user data if exploited.

For European organizations, the impact of this vulnerability is generally low but context-dependent. Organizations using Claude Code versions prior to 2.1.7 risk unauthorized disclosure of sensitive files if an attacker can trick a user into performing actions that cause Claude Code to follow malicious symlinks. This could lead to exposure of critical system files or confidential data, undermining confidentiality. However, the vulnerability does not allow privilege escalation or code execution, limiting its impact on integrity and availability. In environments with strict data protection requirements, such as those governed by GDPR, even limited unauthorized data access could have compliance implications. The risk is higher in organizations where Claude Code is integrated into automated workflows handling sensitive files or where users have access to critical system resources. Since no known exploits exist yet, the immediate threat is low, but proactive patching is advisable to prevent future exploitation.

European organizations should immediately upgrade anthropics Claude Code to version 2.1.7 or later, where the vulnerability is patched. Additionally, organizations should audit their use of symbolic links within projects involving Claude Code to ensure no symlinks point to sensitive or restricted files. Implement strict file system permissions to limit user ability to create or manipulate symlinks that could be exploited. Employ monitoring to detect unusual file access patterns by Claude Code or related processes. Educate users about the risks of interacting with untrusted files or symlinks in their coding environments. For environments with high security requirements, consider sandboxing Claude Code executions or restricting its file system access using OS-level controls such as AppArmor or SELinux. Regularly review and update deny rules in settings.json to ensure they are comprehensive and correctly enforced after patching.