Description
Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypass write protection and create or modify files without user confirmation. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.57.
Published: 2026-02-06
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection enabling bypass of write protection
Action: Patch Now
AI Analysis

Impact

Claude Code versions before 2.0.57 allow a change of directory without adequate validation when combined with write operations to protected folders. By inserting the cd command into the context window, a user who can supply untrusted content can navigate into sensitive directories such as .claude and then create or modify files without user confirmation. The flaw therefore permits unauthorized file manipulation, code injection and potentially persistent compromise, and is classified as improper input validation (CWE‑20) and OS command injection (CWE‑78).

Affected Systems

Vendor: Anthropic; Product: Claude Code; All releases before version 2.0.57 are affected. The vulnerability was fixed in v2.0.57 and later releases are considered safe.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, but the EPSS score of less than 1 % points to a low likelihood of exploitation at present. The flaw requires that an attacker be able to inject untrusted content into the context window, limiting the attack surface to environments that allow such content. It is not currently listed in the CISA KEV catalog. Because the vulnerability permits modification of protected files, an exploit could lead to persistence if the altered files are executed. The overall risk balances significant impact with a low probability of exploitation, and the most effective mitigation is to patch.

Generated by OpenCVE AI on April 18, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Claude Code to version 2.0.57 or later to apply the patch that restores proper directory validation.
  • If upgrading is not immediately possible, restrict write access to sensitive directories such as .claude by setting appropriate filesystem permissions so the Claude Code process cannot create or modify files there.
  • Sanitize or strictly control any untrusted content that can be entered into a context window, ensuring that commands such as cd are not processed without validation.

Generated by OpenCVE AI on April 18, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-66q4-vfjg-2qhh Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection
History

Mon, 09 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Code
CPEs cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*
Vendors & Products Anthropic
Anthropic claude Code
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics claude Code
Vendors & Products Anthropics
Anthropics claude Code

Fri, 06 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypass write protection and create or modify files without user confirmation. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.57.
Title Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection
Weaknesses CWE-20
CWE-78
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Code
Anthropics Claude Code
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T18:42:01.040Z

Reserved: 2026-02-05T16:48:00.425Z

Link: CVE-2026-25722

cve-icon Vulnrichment

Updated: 2026-02-06T18:41:54.404Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T18:15:59.077

Modified: 2026-02-09T14:51:42.203

Link: CVE-2026-25722

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses