CVE-2026-46406: CWE-59: Improper Link Resolution Before File Access ('Link Following') in anthropics claude-code
Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the /copy command. This vulnerability is fixed in 2.1.128.
AI Analysis
Technical Summary
The vulnerability in anthropics claude-code involves improper link resolution before file access (CWE-59). Specifically, the /copy command writes responses to a hardcoded path (/tmp/claude/response.md) that is world-readable and located in a world-traversable directory. Because the path is predictable and lacks UID isolation, randomness, or symlink protection, a local attacker can read privileged users' responses or create a symlink to cause the privileged process to overwrite arbitrary files. Exploitation requires a local unprivileged user and a privileged user running the /copy command. This vulnerability is resolved in version 2.1.128.
Potential Impact
An attacker with local unprivileged access can read sensitive information from privileged users due to world-readable files in a predictable location. Additionally, the attacker can cause arbitrary file overwrite by exploiting symlink following, potentially leading to privilege escalation or data corruption. The vulnerability requires local access and user interaction with the privileged /copy command.
Mitigation Recommendations
This vulnerability is fixed in claude-code version 2.1.128. Users should upgrade to version 2.1.128 or later to remediate the issue. No official patch or temporary fix is indicated other than upgrading. Until upgraded, restrict local user access and avoid running the /copy command with elevated privileges if possible.
CVE-2026-46406: CWE-59: Improper Link Resolution Before File Access ('Link Following') in anthropics claude-code
Description
Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the /copy command. This vulnerability is fixed in 2.1.128.
CVSS v4.0
Score 4.4medium
Affected software
pkg:github/anthropics/claude-codeRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in anthropics claude-code involves improper link resolution before file access (CWE-59). Specifically, the /copy command writes responses to a hardcoded path (/tmp/claude/response.md) that is world-readable and located in a world-traversable directory. Because the path is predictable and lacks UID isolation, randomness, or symlink protection, a local attacker can read privileged users' responses or create a symlink to cause the privileged process to overwrite arbitrary files. Exploitation requires a local unprivileged user and a privileged user running the /copy command. This vulnerability is resolved in version 2.1.128.
Potential Impact
An attacker with local unprivileged access can read sensitive information from privileged users due to world-readable files in a predictable location. Additionally, the attacker can cause arbitrary file overwrite by exploiting symlink following, potentially leading to privilege escalation or data corruption. The vulnerability requires local access and user interaction with the privileged /copy command.
Mitigation Recommendations
This vulnerability is fixed in claude-code version 2.1.128. Users should upgrade to version 2.1.128 or later to remediate the issue. No official patch or temporary fix is indicated other than upgrading. Until upgraded, restrict local user access and avoid running the /copy command with elevated privileges if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T21:04:10.932Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a42868627e9c7971906ce01
Added to database: 06/29/2026, 14:51:50 UTC
Last enriched: 06/29/2026, 15:08:36 UTC
Last updated: 06/29/2026, 21:02:07 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.