Cyber Posture

CVE-2026-25724

High

Published: 06 February 2026

Published
06 February 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0007 20.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25724 is a high-severity UNIX Symbolic Link (Symlink) Following (CWE-61) vulnerability in Anthropic Claude Code. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as APIs and Models.

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-1 Policy and Procedures
addresses: CWE-285

Documented procedures facilitate correct implementation and ongoing management of authorization decisions.

AC-13 Supervision and Review — Access Control
addresses: CWE-285

Periodic reviews identify and correct flaws in authorization decisions or enforcement.

AC-14 Permitted Actions Without Identification or Authentication
addresses: CWE-285

The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication.

AC-16 Security and Privacy Attributes
addresses: CWE-285

Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.

AC-17 Remote Access
addresses: CWE-285

Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.

AC-18 Wireless Access
addresses: CWE-285

The control explicitly requires authorization of each wireless access type prior to permitting connections.

AC-19 Access Control for Mobile Devices
addresses: CWE-285

Mandating explicit authorization of mobile device connections reduces the risk of improper authorization decisions for system access.

AC-2 Account Management
addresses: CWE-285

Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Vuln enables unauthorized local file reads (e.g. /etc/passwd) via symlink bypass of deny rules, directly facilitating data collection from local system and retrieval of credentials stored in files.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such…

more

as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. This issue has been patched in version 2.1.7.

Deeper analysisAI

Claude Code, an agentic coding tool from Anthropic, is affected by CVE-2026-25724 in versions prior to 2.1.7. The vulnerability stems from a failure to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. Specifically, if a user denied access to a sensitive file like /etc/passwd, Claude Code could still read it via a symbolic link to which it had access, bypassing the deny rule enforcement. This issue is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-61 (Symbolic Link Following) and CWE-285 (Improper Authorization).

Attackers can exploit this vulnerability remotely without privileges or user interaction over a network connection with low complexity. By controlling or influencing a symbolic link that Claude Code accesses during its operations, an attacker can trick the tool into reading restricted files, achieving high-impact unauthorized disclosure of confidential information such as system passwords or other sensitive data pointed to by the symlinks.

The GitHub security advisory (GHSA-4q92-rfm6-2cqx) and a Terra Security blog post detail the patch in Claude Code version 2.1.7, which enforces deny rules consistently even for symlink access. Security practitioners should upgrade to version 2.1.7 or later and review settings.json configurations to ensure proper deny rules are in place, particularly in environments where Claude Code handles file operations.

Details

CWE(s)
CWE-61CWE-285

Affected Products

anthropic
claude code
≤ 2.1.7

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude, claude, claude, claude, claude

CVEs Like This One

CVE-2026-39861Same product: Anthropic Claude Code
CVE-2026-24887Same product: Anthropic Claude Code
CVE-2026-25725Same product: Anthropic Claude Code
CVE-2026-33068Same product: Anthropic Claude Code
CVE-2026-24052Same product: Anthropic Claude Code
CVE-2025-54794Same product: Anthropic Claude Code
CVE-2026-25722Same product: Anthropic Claude Code
CVE-2026-21852Same product: Anthropic Claude Code
CVE-2025-64755Same product: Anthropic Claude Code
CVE-2025-58764Same product: Anthropic Claude Code

References