CVE-2026-25724
Published: 06 February 2026
Summary
CVE-2026-25724 is a low-severity UNIX Symbolic Link (Symlink) Following (CWE-61) vulnerability in Anthropic Claude Code. Its CVSS base score is 2.3 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Deeper analysis
Claude Code, an agentic coding tool from Anthropic, is affected by CVE-2026-25724 in versions prior to 2.1.7. The vulnerability stems from a failure to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. Specifically, if a user denied access to a sensitive file like /etc/passwd, Claude Code could still read it via a symbolic link to which it had access, bypassing the deny rule enforcement. This issue is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-61 (Symbolic Link Following) and CWE-285 (Improper Authorization).
Attackers can exploit this vulnerability remotely without privileges or user interaction over a network connection with low complexity. By controlling or influencing a symbolic link that Claude Code accesses during its operations, an attacker can trick the tool into reading restricted files, achieving high-impact unauthorized disclosure of confidential information such as system passwords or other sensitive data pointed to by the symlinks.
The GitHub security advisory (GHSA-4q92-rfm6-2cqx) and a Terra Security blog post detail the patch in Claude Code version 2.1.7, which enforces deny rules consistently even for symlink access. Security practitioners should upgrade to version 2.1.7 or later and review settings.json configurations to ensure proper deny rules are in place, particularly in environments where Claude Code handles file operations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5614
Vulnerability details
Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such…
more
as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. This issue has been patched in version 2.1.7.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables unauthorized local file reads (e.g. /etc/passwd) via symlink bypass of deny rules, directly facilitating data collection from local system and retrieval of credentials stored in files.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved access control policies including deny rules on file accesses, directly preventing bypass via symbolic links.
Implements a reference monitor to mediate all file access requests, ensuring symbolic link resolution is checked against deny rules.
Requires identification, reporting, and correction of flaws like improper enforcement of deny rules through symlinks, enabling timely patching.