CVE-2026-25724

Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. This issue has been patched in version 2.1.7.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/anthropics/claude-code/security/advisories/GHSA-4q92-rfm6-2cqx	Third Party Advisory
https://www.terra.security/blog/when-ai-becomes-the-attack-surface-lessons-from-discovering-cve-2026-25724

Configurations

Configuration 1 (hide)

cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-02-06 18:16

Updated : 2026-03-27 22:16

NVD link : CVE-2026-25724

Mitre link : CVE-2026-25724

CVE.ORG link : CVE-2026-25724

JSON object : View

Products Affected

anthropic

claude_code

CWE

CWE-61

UNIX Symbolic Link (Symlink) Following

CWE-285

Improper Authorization

{"id": "CVE-2026-25724", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-06T18:16:00.037", "references": [{"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-4q92-rfm6-2cqx", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.terra.security/blog/when-ai-becomes-the-attack-surface-lessons-from-discovering-cve-2026-25724", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-61"}, {"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. This issue has been patched in version 2.1.7."}, {"lang": "es", "value": "Claude Code es una herramienta de codificaci\u00f3n ag\u00e9ntica. Antes de la versi\u00f3n 2.1.7, Claude Code no aplicaba estrictamente las reglas de denegaci\u00f3n configuradas en settings.json al acceder a archivos a trav\u00e9s de enlaces simb\u00f3licos. Si un usuario denegaba expl\u00edcitamente a Claude Code el acceso a un archivo (como /etc /passwd) y Claude Code ten\u00eda acceso a un enlace simb\u00f3lico que apuntaba a ese archivo, era posible que Claude Code leyera el archivo restringido a trav\u00e9s del enlace simb\u00f3lico sin activar la aplicaci\u00f3n de la regla de denegaci\u00f3n. Este problema ha sido parcheado en la versi\u00f3n 2.1.7."}], "lastModified": "2026-03-27T22:16:20.317", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "25EC5B17-180E-4453-815D-F324DF589561", "versionEndExcluding": "2.1.7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}