CVE-2026-35603

HighLPE

Published: 17 April 2026

Published

17 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0001 1.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35603 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Anthropic Claude Code. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as APIs and Models.

The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SC-4 (Information in Shared System Resources).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-4 Information in Shared System Resources good match

prevent

Prevents unauthorized information transfer via shared system resources like the writable ProgramData directory by requiring validation of directory ownership and permissions before loading configuration files.

SI-10 Information Input Validation good match

prevent

Requires validation of configuration inputs from untrusted paths to block malicious managed-settings.json files from being processed.

CM-5 Access Restrictions for Change good match

prevent

Restricts creation and modification of configuration directories and files in shared locations like C:\ProgramData\ClaudeCode to authorized users, preventing low-privileged exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1574.008 Path Interception by Search Order Hijacking Stealth

Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.

attack.mitre.org →

Why these techniques?

Vulnerability allows low-privileged placement of malicious config file in expected system path (C:\ProgramData\ClaudeCode) due to missing ownership/permission checks, enabling path interception via search order and exploitation for privilege escalation when higher-privileged users launch the application.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by…

default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed. This issue has been fixed on version 2.1.75.

Deeper analysisAI

CVE-2026-35603 affects Claude Code, an agentic coding tool, in versions prior to 2.1.75 on Windows. The vulnerability stems from the application loading a system-wide default configuration file from the path C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. The ProgramData directory is writable by non-administrative users by default, and the ClaudeCode subdirectory is neither pre-created nor access-restricted, enabling unauthorized file placement (CWE-426: Untrusted Search Path). The issue was published on 2026-04-17.

A low-privileged local user can exploit this on a shared multi-user Windows system by creating the C:\ProgramData\ClaudeCode directory and placing a malicious managed-settings.json file. When any other user, such as an administrator, launches Claude Code afterward, the malicious configuration is automatically loaded. This requires user interaction from the victim (UI:R) but grants the attacker high-impact confidentiality, integrity, and availability compromise (CVSS 7.3: AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

The vulnerability has been fixed in Claude Code version 2.1.75. Additional mitigation details are available in the security advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-5cwg-9f6j-9jvx.

Details

CWE(s): CWE-426

Affected Products

anthropic

claude code

≤ 2.1.75

AI Security AnalysisAI

AI Category: APIs and Models
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: claude, claude, claude, claude

CVEs Like This One

CVE-2025-24789Same product: Microsoft Windows

CVE-2025-21399Same vendor: Microsoft

CVE-2026-22561Same product: Microsoft Windows

CVE-2026-23512Same product: Microsoft Windows

CVE-2026-25725Same product: Anthropic Claude Code

CVE-2026-39861Same product: Anthropic Claude Code

CVE-2026-27290Same product: Microsoft Windows

CVE-2026-24887Same product: Anthropic Claude Code

CVE-2025-27167Same product: Microsoft Windows

CVE-2026-21280Same product: Microsoft Windows

References

https://github.com/anthropics/claude-code/security/advisories/GHSA-5cwg-9f6j-9jvx
Vendor Advisory · security-advisories@github.com