Description
Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope. Exploiting this required the ability to execute commands through Claude Code with the "accept edits" feature enabled. This issue has been patched in version 2.0.55.
Published: 2026-02-06
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection allowing unauthorized file writes
Action: Patch Immediately
AI Analysis

Impact

Claude Code, an agentic coding tool, contains a command injection flaw that fails to validate piped sed commands combined with an echo statement. Attackers who can trigger the tool's "accept edits" capability can inject arbitrary shell commands, enabling them to write malicious content to restricted directories such as the .claude folder or to paths outside the defined project scope. The flaw directly compromises data integrity and could be used to deploy further code, leading to a high impact on confidentiality and integrity in the host environment.

Affected Systems

Anthropics' Claude Code versions earlier than 2.0.55, including deployments running on Node.js environments, are vulnerable. The issue affects all installations where the "accept edits" feature is enabled and the tool is exposed to potentially untrusted input streams.

Risk and Exploitability

CVSS score 7.7 indicates high severity, while the EPSS score of less than 1% suggests limited exploitation probability currently. The vulnerability is not present in CISA's KEV catalog. Exploitation requires that the attacker can supply input to Claude Code's accept edits function, which in typical deployments is limited to authenticated users. Nevertheless, once the condition is met, the attacker can bypass file write restrictions and place arbitrary files, which could be leveraged for further attacks.

Generated by OpenCVE AI on April 17, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to Claude Code 2.0.55 or newer.
  • If an upgrade is not immediately possible, disable the "accept edits" feature to prevent the injection vector.
  • Monitor repository and file system logs for unexpected writes to the .claude directory or other protected paths to detect potential exploitation.

Generated by OpenCVE AI on April 17, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mhg7-666j-cqg4 Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions
History

Mon, 09 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Code
CPEs cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*
Vendors & Products Anthropic
Anthropic claude Code
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics claude Code
Vendors & Products Anthropics
Anthropics claude Code

Fri, 06 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope. Exploiting this required the ability to execute commands through Claude Code with the "accept edits" feature enabled. This issue has been patched in version 2.0.55.
Title Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions
Weaknesses CWE-20
CWE-78
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Code
Anthropics Claude Code
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T18:40:54.158Z

Reserved: 2026-02-05T16:48:00.426Z

Link: CVE-2026-25723

cve-icon Vulnrichment

Updated: 2026-02-06T18:40:49.688Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T18:15:59.237

Modified: 2026-02-09T14:50:15.813

Link: CVE-2026-25723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses