CVE-2026-46406: Claude Code — MEDIUM

Q: Is CVE-2026-46406 actively exploited?

No confirmed active exploitation of CVE-2026-46406 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-46406?

Update to patched version: Claude Code 2.1.128.

Q: What is the CVSS score for CVE-2026-46406?

No CVSS score has been assigned yet.

The Claude Code `/copy` command wrote responses to a hardcoded, predictable path (`/tmp/claude/response.md`) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged...

Full CISO analysis pending enrichment.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Claude Code	npm	>= 2.1.59, < 2.1.128	`2.1.128`
133.5K Pushed 5d ago 73% patched ~2d to patch Full package profile →

Do you use Claude Code? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

N/A

What should I do?

Patch available

Update Claude Code to version 2.1.128

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-46406?

The Claude Code `/copy` command wrote responses to a hardcoded, predictable path (`/tmp/claude/response.md`) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the `/copy` command. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version. Claude Code thanks hackerone.com/c_h4ck_0 for reporting this issue.

Is CVE-2026-46406 actively exploited?

No confirmed active exploitation of CVE-2026-46406 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-46406?

Update to patched version: Claude Code 2.1.128.

What is the CVSS score for CVE-2026-46406?

No CVSS score has been assigned yet.

What are the technical details?

Original Advisory

The Claude Code `/copy` command wrote responses to a hardcoded, predictable path (`/tmp/claude/response.md`) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the `/copy` command. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version. Claude Code thanks hackerone.com/c_h4ck_0 for reporting this issue.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary CWE-377 Insecure Temporary File Primary CWE-59 Improper Link Resolution Before File Access ('Link Following') Primary

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.