216.73.217.176

CVE-2026-35603

· Published 17/04/2026 21:16 · Modified 17/04/2026 21:16

Labels: CVE-2026-35603 2026-04-17CVE-2026-35603CWE-426[email protected]

Essential information

Published
17/04/2026 21:16
Modified
17/04/2026 21:16
Author
Creator
CVSS
5.4 MEDIUM (v3) 5.4 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed. This issue has been fixed on version 2.1.75.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
claudecode / claude code cpe:2.3:a:claudecode:claude_code:<2.1.75:*:*:*:*:*:*:*

References