CVE-2026-46406
Received Received - Intake

Claude Code Arbitrary File Write and Information Disclosure

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description
Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the /copy command. This vulnerability is fixed in 2.1.128.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-46406
EUVD
EUVD-2026-40116

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
claude code From 2.1.59 (inc) to 2.1.128 (inc)
claude code 2.1.128
anthropic-ai claude-code From 2.1.59 (inc) to 2.1.128 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-377 Creating and using insecure temporary files can leave application and system data vulnerable to attack.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46406 is a vulnerability in the Claude Code /copy command affecting versions from 2.1.59 up to but not including 2.1.128. The command writes its responses to a fixed, predictable file path (/tmp/claude/response.md) without isolating by user ID, adding randomness, or protecting against symbolic link (symlink) attacks.

The file is created with world-readable permissions (0644) inside a directory that any user can traverse (0755). This setup allows any local user on the system to read the responses generated by privileged users, which may contain sensitive information such as secrets or credentials.

Additionally, because the file path is static and predictable, a local attacker can create the directory and place a symlink at the expected file location. When the privileged process writes the response, it follows the symlink and overwrites an attacker-chosen file, potentially compromising system integrity.

Exploitation requires both a local unprivileged user and a privileged user running the /copy command. The vulnerability has been fixed in version 2.1.128.

Impact Analysis

This vulnerability can impact you by exposing sensitive information and compromising system integrity.

  • Confidentiality impact: Any local user can read privileged users' Claude responses, which may include secrets or credentials.
  • Integrity impact: An attacker can overwrite arbitrary files by exploiting the predictable file path and symlink attack, potentially altering important system files.
  • Availability impact: Overwriting critical files could disrupt normal system operations.

Overall, the vulnerability poses a moderate risk (CVSS score 4.4) and requires local access by an unprivileged user and a privileged user running the vulnerable command.

Detection Guidance

This vulnerability involves the creation of a predictable file at /tmp/claude/response.md with world-readable permissions in a world-traversable directory. To detect it, you can check for the existence and permissions of this file and directory.

  • Run: ls -ld /tmp/claude to verify the directory permissions (should be 0755).
  • Run: ls -l /tmp/claude/response.md to check if the file exists and its permissions (should be 0644).
  • Check for symlinks at /tmp/claude/response.md using: ls -l /tmp/claude/response.md to see if it points to another file.
  • Monitor if privileged users are running the /copy command of Claude Code versions between 2.1.59 and 2.1.128.
Mitigation Strategies

The primary mitigation is to update Claude Code to version 2.1.128 or later, where the vulnerability has been fixed.

Until the update can be applied, restrict local user access to the /tmp/claude directory to prevent unauthorized reading or symlink creation.

Avoid running the /copy command as a privileged user if possible, or ensure it is run in a secure environment.

Regularly audit the /tmp/claude directory for unexpected files or symlinks.

Compliance Impact

This vulnerability allows any local user to read privileged users' Claude responses, which could contain secrets or credentials, leading to sensitive information exposure.

Exposure of sensitive information such as secrets or credentials can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

Additionally, the ability for an attacker to overwrite arbitrary files via symlink attacks can compromise data integrity, further impacting compliance with standards that mandate data integrity and security controls.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46406. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart