Anthropics claude-code before version 2.1.75 on Windows suffers from an untrusted search path vulnerability (CWE-426). The application loads its system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without verifying directory ownership or access permissions. Since the ProgramData directory is writable by non-administrative users by default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file. This malicious file would then be automatically loaded by any user launching Claude Code on the same machine, enabling potential privilege escalation or code execution in the context of the victim user. The vulnerability requires a shared multi-user Windows environment and user interaction (launching Claude Code). The issue is resolved in version 2.1.75.

A low-privileged local user on a shared Windows system could exploit this vulnerability to execute arbitrary code or escalate privileges by placing a malicious configuration file that is automatically loaded by Claude Code when launched by another user. This could compromise the security context of the victim user. The vulnerability does not affect single-user systems or require remote access. There are no known exploits in the wild.

This vulnerability is fixed in anthropics claude-code version 2.1.75. Users should upgrade to version 2.1.75 or later to remediate this issue. Until upgraded, restrict write permissions to the C:\ProgramData\ClaudeCode directory to prevent unprivileged users from creating or modifying configuration files. No other vendor advisory or patch information is available, so check the vendor's official channels for updates.