Anthropics claude-code before version 2.1.75 on Windows suffers from an untrusted search path vulnerability (CWE-426). The application loads its system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without verifying directory ownership or access permissions. Since the ProgramData directory is writable by non-administrative users by default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file. When any user launches Claude Code, the malicious configuration would be loaded, potentially allowing code execution or privilege escalation. This vulnerability affects shared multi-user Windows environments and requires user interaction to launch the vulnerable application. The issue is resolved in version 2.1.75.

A low-privileged local user on a shared Windows system can place a malicious configuration file that will be loaded by any user launching Claude Code, potentially leading to unauthorized code execution or privilege escalation. The vulnerability requires a victim user to launch the application after the malicious file is placed. There are no known exploits in the wild. The CVSS 4.0 base score is 5.4, indicating medium severity.

This vulnerability has been fixed in anthropics claude-code version 2.1.75. Users should upgrade to version 2.1.75 or later to remediate this issue. Since the vulnerability requires a shared multi-user Windows environment and local user access, restricting write permissions to the ProgramData\ClaudeCode directory and ensuring it is pre-created with proper access controls can serve as a temporary mitigation. Patch status is not explicitly stated beyond the fix in version 2.1.75; verify with the vendor for official advisories.