Description
Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.74.
Published: 2026-02-03
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Immediate Patch
AI Analysis

Impact

Claude Code, an agentic coding tool, had a flaw in its Bash command validation that allowed the parsing of ZSH clobber syntax to bypass directory restrictions and write files outside the current working directory. The vulnerability, identified as CWE‑22 and CWE‑79, means an attacker can create or overwrite arbitrary files on the host system without any user permission prompt. The effect is a compromise of file-system integrity and potentially the confidentiality of data if sensitive files are overwritten or malicious code is injected.

Affected Systems

The flaw affects versions of Claude Code prior to 2.0.74 released by Anthropic. The vulnerability applies to the standard node.js binary distribution of the tool and requires the user to be running ZSH to trigger the clobber syntax. No specific sub‑versions beyond the 2.0.74 threshold are listed as affected.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity, but the EPSS score of less than 1% suggests exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have the ability to inject untrusted content into a Claude Code context window while the shell engine is ZSH. The attack surface is limited to users who have run Claude Code with ZSH and have provided contextual input that contains the clobber syntax. Based on the description, the likely attack vector is through crafted user input in the context window rather than a network-based payload.

Generated by OpenCVE AI on April 18, 2026 at 00:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Claude Code to version 2.0.74 or later to receive the fix for the clobber‑syntax validation flaw.
  • If an upgrade is not immediately possible, avoid using ZSH when executing Claude Code or remove any ZSH clobber syntax from context windows.
  • Ensure that only trusted content is added to context windows and validate all input before it reaches the command‑parsing stage.

Generated by OpenCVE AI on April 18, 2026 at 00:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q728-gf8j-w49r Claude Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes
History

Fri, 06 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Code
CPEs cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*
Vendors & Products Anthropic
Anthropic claude Code
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics claude Code
Vendors & Products Anthropics
Anthropics claude Code

Tue, 03 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.74.
Title Cluade Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes
Weaknesses CWE-22
CWE-79
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Code
Anthropics Claude Code
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T21:22:27.265Z

Reserved: 2026-01-20T22:30:11.778Z

Link: CVE-2026-24053

cve-icon Vulnrichment

Updated: 2026-02-03T21:22:21.302Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T21:16:13.220

Modified: 2026-02-06T20:24:38.630

Link: CVE-2026-24053

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses