Cyber Resilience

CVE-2026-25724

Low

Published: 06 February 2026

Published
06 February 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score v4 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 19.3th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25724 is a low-severity UNIX Symbolic Link (Symlink) Following (CWE-61) vulnerability in Anthropic Claude Code. Its CVSS base score is 2.3 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

Claude Code, an agentic coding tool from Anthropic, is affected by CVE-2026-25724 in versions prior to 2.1.7. The vulnerability stems from a failure to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. Specifically, if a user denied access to a sensitive file like /etc/passwd, Claude Code could still read it via a symbolic link to which it had access, bypassing the deny rule enforcement. This issue is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-61 (Symbolic Link Following) and CWE-285 (Improper Authorization).

Attackers can exploit this vulnerability remotely without privileges or user interaction over a network connection with low complexity. By controlling or influencing a symbolic link that Claude Code accesses during its operations, an attacker can trick the tool into reading restricted files, achieving high-impact unauthorized disclosure of confidential information such as system passwords or other sensitive data pointed to by the symlinks.

The GitHub security advisory (GHSA-4q92-rfm6-2cqx) and a Terra Security blog post detail the patch in Claude Code version 2.1.7, which enforces deny rules consistently even for symlink access. Security practitioners should upgrade to version 2.1.7 or later and review settings.json configurations to ensure proper deny rules are in place, particularly in environments where Claude Code handles file operations.

EU & UK References

Vulnerability details

Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such…

more

as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. This issue has been patched in version 2.1.7.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Vuln enables unauthorized local file reads (e.g. /etc/passwd) via symlink bypass of deny rules, directly facilitating data collection from local system and retrieval of credentials stored in files.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39861Same product: Anthropic Claude Code
CVE-2026-24887Same product: Anthropic Claude Code
CVE-2026-25725Same product: Anthropic Claude Code
CVE-2026-33068Same product: Anthropic Claude Code
CVE-2025-54794Same product: Anthropic Claude Code
CVE-2026-21852Same product: Anthropic Claude Code
CVE-2026-25722Same product: Anthropic Claude Code
CVE-2026-24052Same product: Anthropic Claude Code
CVE-2026-40068Same product: Anthropic Claude Code
CVE-2025-54795Same product: Anthropic Claude Code

Affected Assets

anthropic
claude code
≤ 2.1.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved access control policies including deny rules on file accesses, directly preventing bypass via symbolic links.

prevent

Implements a reference monitor to mediate all file access requests, ensuring symbolic link resolution is checked against deny rules.

prevent

Requires identification, reporting, and correction of flaws like improper enforcement of deny rules through symlinks, enabling timely patching.

References