CVE-2026-35603: Claude Code config hijack

Q: Is CVE-2026-35603 actively exploited?

No confirmed active exploitation of CVE-2026-35603 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-35603?

1. Update `@anthropic-ai/claude-code` to version 2.1.75 or later — auto-update users are already patched. 2. For teams with pinned versions or controlled npm registries, explicitly upgrade and redeploy. 3. On shared Windows systems, audit `C:\ProgramData\ClaudeCode\` directory existence, ownership, and ACLs; restrict write access to administrators only. 4. Review any existing `managed-settings.json` on shared systems for unauthorized modifications before trusting them. 5. Consider policy controls restricting Claude Code installation on multi-user shared Windows environments (terminal servers, shared build agents) pending security review.

Q: What systems are affected by CVE-2026-35603?

This vulnerability affects the following AI/ML architecture patterns: AI developer workstations (shared Windows), CI/CD pipelines with shared Windows build agents, Enterprise developer environments, Agent frameworks.

Q: What is the CVSS score for CVE-2026-35603?

No CVSS score has been assigned yet.

CISO Take

Claude Code on Windows loaded its system-wide managed configuration from `C:\ProgramData\ClaudeCode\managed-settings.json` without verifying directory ownership, allowing any local low-privileged user on a shared machine to plant a malicious config file that gets automatically loaded by all other users. The exploitation technique is trivially simple — create a directory, drop a JSON file — making this a realistic threat in shared developer environments, CI/CD build agents, or multi-user Windows terminal servers despite the low EPSS raw score (0.011%) and absence from CISA KEV. Given Claude Code's broad agentic capabilities (file system access, code execution, network calls), a poisoned configuration could redirect the tool to attacker-controlled AI endpoints, enable dangerous permissions, or fundamentally alter agent behavior for every developer on that machine. Update to `@anthropic-ai/claude-code` version 2.1.75 immediately; auto-update users are already protected, but teams with pinned versions or controlled registries must act and should audit `C:\ProgramData\ClaudeCode\` directory ACLs on shared systems.

Sources: NVD GitHub Advisory EPSS ATLAS

What is the risk?

Medium risk with asymmetric simplicity: the attack requires zero technical sophistication (create a directory, write a JSON file) but yields significant impact on shared Windows environments. The constraint — requiring a shared multi-user Windows system plus a victim who launches Claude Code after the malicious config is placed — limits real-world exposure to enterprise environments with shared developer machines or CI/CD agents. Single-user workstations (the majority of Claude Code deployments) are not at risk. The patch is readily available and auto-update covers most users, making this primarily a risk for organizations with controlled deployment pipelines or air-gapped environments.

How does the attack unfold?

Local Access

Attacker obtains a low-privileged account on a shared Windows system where Claude Code is installed, via insider access, compromised service account, or lateral movement.

AML.T0012

Config Plant

Attacker creates `C:\ProgramData\ClaudeCode\` and drops a malicious `managed-settings.json` redirecting Claude Code to attacker-controlled AI infrastructure or enabling dangerous tool permissions.

AML.T0081

User Execution

A privileged victim user launches Claude Code on the same machine; the tool automatically loads the attacker's configuration without any ownership or permission validation.

AML.T0011

Agent Compromise

Claude Code operates under attacker-controlled configuration, enabling credential harvesting, exfiltration of source code and secrets, or injection of malicious behavior into AI-assisted development workflows.

AML.T0112.000

Local Access

Attacker obtains a low-privileged account on a shared Windows system where Claude Code is installed, via insider access, compromised service account, or lateral movement.

AML.T0012

Config Plant

Attacker creates `C:\ProgramData\ClaudeCode\` and drops a malicious `managed-settings.json` redirecting Claude Code to attacker-controlled AI infrastructure or enabling dangerous tool permissions.

AML.T0081

User Execution

A privileged victim user launches Claude Code on the same machine; the tool automatically loads the attacker's configuration without any ownership or permission validation.

AML.T0011

Agent Compromise

Claude Code operates under attacker-controlled configuration, enabling credential harvesting, exfiltration of source code and secrets, or injection of malicious behavior into AI-assisted development workflows.

AML.T0112.000

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Claude Code	npm	< 2.1.75	`2.1.75`
133.5K Pushed 4d ago 72% patched ~2d to patch Full package profile →
Claude Code	npm	—	No patch
133.5K Pushed 4d ago 72% patched ~2d to patch Full package profile →

How severe is it?

CVSS 3.1

N/A

EPSS

0.1%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Update @anthropic-ai/claude-code to version 2.1.75 or later — auto-update users are already patched.
For teams with pinned versions or controlled npm registries, explicitly upgrade and redeploy.
On shared Windows systems, audit C:\ProgramData\ClaudeCode\ directory existence, ownership, and ACLs; restrict write access to administrators only.
Review any existing managed-settings.json on shared systems for unauthorized modifications before trusting them.
Consider policy controls restricting Claude Code installation on multi-user shared Windows environments (terminal servers, shared build agents) pending security review.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Auth Bypass Agent AML.T0011 - User Execution AML.T0081 - Modify AI Agent Configuration AML.T0084 - Discover AI Agent Configuration AML.T0112.000 - Local AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system roles and responsibilities A.9.4 - AI system access control

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of AI systems are developed and applied

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35603?

Claude Code on Windows loaded its system-wide managed configuration from `C:\ProgramData\ClaudeCode\managed-settings.json` without verifying directory ownership, allowing any local low-privileged user on a shared machine to plant a malicious config file that gets automatically loaded by all other users. The exploitation technique is trivially simple — create a directory, drop a JSON file — making this a realistic threat in shared developer environments, CI/CD build agents, or multi-user Windows terminal servers despite the low EPSS raw score (0.011%) and absence from CISA KEV. Given Claude Code's broad agentic capabilities (file system access, code execution, network calls), a poisoned configuration could redirect the tool to attacker-controlled AI endpoints, enable dangerous permissions, or fundamentally alter agent behavior for every developer on that machine. Update to `@anthropic-ai/claude-code` version 2.1.75 immediately; auto-update users are already protected, but teams with pinned versions or controlled registries must act and should audit `C:\ProgramData\ClaudeCode\` directory ACLs on shared systems.

Is CVE-2026-35603 actively exploited?

No confirmed active exploitation of CVE-2026-35603 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35603?

1. Update `@anthropic-ai/claude-code` to version 2.1.75 or later — auto-update users are already patched. 2. For teams with pinned versions or controlled npm registries, explicitly upgrade and redeploy. 3. On shared Windows systems, audit `C:\ProgramData\ClaudeCode\` directory existence, ownership, and ACLs; restrict write access to administrators only. 4. Review any existing `managed-settings.json` on shared systems for unauthorized modifications before trusting them. 5. Consider policy controls restricting Claude Code installation on multi-user shared Windows environments (terminal servers, shared build agents) pending security review.

What systems are affected by CVE-2026-35603?

This vulnerability affects the following AI/ML architecture patterns: AI developer workstations (shared Windows), CI/CD pipelines with shared Windows build agents, Enterprise developer environments, Agent frameworks.

What is the CVSS score for CVE-2026-35603?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI developer workstations (shared Windows)CI/CD pipelines with shared Windows build agentsEnterprise developer environmentsAgent frameworks

MITRE ATLAS Techniques

AML.T0011 User Execution

AML.T0081 Modify AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2, A.9.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

On Windows, Claude Code loaded system-wide default configuration from `C:\ProgramData\ClaudeCode\managed-settings.json` without validating directory ownership or access permissions. Because the `ProgramData` directory is writable by non-administrative users by default and the `ClaudeCode` subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version. Thank you to hackerone.com/edbr for reporting this issue.

Exploitation Scenario

An attacker with a low-privileged Windows account on a shared developer build server (e.g., a compromised CI/CD service account or an insider) creates the directory `C:\ProgramData\ClaudeCode\` and drops a crafted `managed-settings.json` redirecting Claude Code's AI model endpoint to an attacker-controlled server. When a privileged developer or CI/CD process subsequently launches Claude Code on the same machine, the tool silently loads the malicious configuration. All Claude Code interactions — including code reviews, file edits, and shell commands executed at the developer's privilege level — are processed through the attacker's infrastructure, enabling credential harvesting, code injection into AI-assisted development workflows, and exfiltration of source code or secrets passed to the tool.

Weaknesses (CWE)

CWE-426 Untrusted Search Path Primary

CWE-426 — Untrusted Search Path: The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

[Architecture and Design, Implementation] Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
[Implementation] When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Source: MITRE CWE corpus.