Cyber Resilience

CVE-2026-35603

MediumLPE

Published: 17 April 2026

Published
17 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 5.4 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 1.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35603 is a medium-severity Untrusted Search Path (CWE-426) vulnerability in Anthropic Claude Code. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SC-4 (Information in Shared System Resources).

Deeper analysis

CVE-2026-35603 affects Claude Code, an agentic coding tool, in versions prior to 2.1.75 on Windows. The vulnerability stems from the application loading a system-wide default configuration file from the path C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. The ProgramData directory is writable by non-administrative users by default, and the ClaudeCode subdirectory is neither pre-created nor access-restricted, enabling unauthorized file placement (CWE-426: Untrusted Search Path). The issue was published on 2026-04-17.

A low-privileged local user can exploit this on a shared multi-user Windows system by creating the C:\ProgramData\ClaudeCode directory and placing a malicious managed-settings.json file. When any other user, such as an administrator, launches Claude Code afterward, the malicious configuration is automatically loaded. This requires user interaction from the victim (UI:R) but grants the attacker high-impact confidentiality, integrity, and availability compromise (CVSS 7.3: AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

The vulnerability has been fixed in Claude Code version 2.1.75. Additional mitigation details are available in the security advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-5cwg-9f6j-9jvx.

EU & UK References

Vulnerability details

Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by…

more

default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed. This issue has been fixed on version 2.1.75.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1574.008 Path Interception by Search Order Hijacking Stealth
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
Why these techniques?

Vulnerability allows low-privileged placement of malicious config file in expected system path (C:\ProgramData\ClaudeCode) due to missing ownership/permission checks, enabling path interception via search order and exploitation for privilege escalation when higher-privileged users launch the application.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24789Same product: Microsoft Windows
CVE-2025-21399Same vendor: Microsoft
CVE-2026-23512Same product: Microsoft Windows
CVE-2026-22561Same product: Microsoft Windows
CVE-2026-25725Same product: Anthropic Claude Code
CVE-2026-39861Same product: Anthropic Claude Code
CVE-2026-27290Same product: Microsoft Windows
CVE-2026-24887Same product: Anthropic Claude Code
CVE-2025-27167Same product: Microsoft Windows
CVE-2026-21280Same product: Microsoft Windows

Affected Assets

anthropic
claude code
≤ 2.1.75

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Prevents unauthorized information transfer via shared system resources like the writable ProgramData directory by requiring validation of directory ownership and permissions before loading configuration files.

prevent

Requires validation of configuration inputs from untrusted paths to block malicious managed-settings.json files from being processed.

prevent

Restricts creation and modification of configuration directories and files in shared locations like C:\ProgramData\ClaudeCode to authorized users, preventing low-privileged exploitation.

References