The vulnerability CVE-2026-25724 affects anthropics' Claude Code, an agentic coding tool, in versions before 2.1.7. Claude Code uses a settings.json file to enforce deny rules restricting access to certain files. However, the software failed to strictly enforce these deny rules when files were accessed via symbolic links. Specifically, if a user denied access to a sensitive file such as /etc/passwd, Claude Code could still read the file if it was accessed through a symlink pointing to it. This occurs because the deny rule enforcement did not correctly resolve or check the target of the symlink, allowing unauthorized file reads. The vulnerability is categorized under CWE-61 (Improper Handling of Symbolic Links) and CWE-285 (Improper Authorization). The CVSS 4.0 base score is 2.3, indicating low severity, with attack vector being network, low complexity, no privileges required, but requiring user interaction. The impact on confidentiality, integrity, and availability is low. The issue was patched in version 2.1.7 by improving deny rule enforcement to correctly handle symlink targets. There are no known exploits in the wild, and the vulnerability was publicly disclosed on February 6, 2026.

The primary impact of this vulnerability is unauthorized disclosure of sensitive files that were intended to be protected by deny rules in Claude Code. An attacker or user could leverage symlinks to bypass access restrictions and read files such as /etc/passwd, potentially exposing user account information. While this does not directly allow modification or deletion of files, the exposure of sensitive data can aid further attacks or reconnaissance. The vulnerability requires user interaction and network access but no privileges, which lowers the risk somewhat. The scope is limited to environments where Claude Code is used and deny rules are configured. Since Claude Code is an agentic coding tool, organizations relying on it for code generation or automation may be at risk of unintended data leaks. Overall, the impact is low but should not be ignored in sensitive environments.

Organizations should upgrade anthropics Claude Code to version 2.1.7 or later, where the vulnerability is patched. Until upgrading, administrators should audit and restrict the use of symbolic links in directories accessed by Claude Code, especially those pointing to sensitive files. Implement file system permissions to limit the creation and use of symlinks by untrusted users. Review and tighten deny rules in settings.json to minimize exposure. Additionally, monitor logs for unusual file access patterns involving symlinks. Employ runtime application self-protection (RASP) or endpoint detection to detect anomalous file reads. Educate users about the risks of symlink abuse and enforce least privilege principles for users running Claude Code. Finally, consider isolating Claude Code execution environments to limit potential data exposure.