Description
Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. This issue has been patched in version 2.1.7.
Published: 2026-02-06
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file access
Action: Patch
AI Analysis

Impact

Claude Code, an agentic coding tool, had a flaw before version 2.1.7 that failed to enforce deny rules defined in settings.json when following symbolic links. An attacker or a malicious user who creates a symlink to a protected file, such as /etc/passwd, can read that file through the tool, thereby bypassing the intended access restrictions. This breach allows unauthorized file disclosure, potentially exposing sensitive system or user information.

Affected Systems

The vulnerability affects Anthropic’s Claude Code prior to version 2.1.7, which is distributed as a Node.js application. Users running any earlier release are susceptible unless the configuration explicitly blocks symlink traversal; however, the tool itself does not enforce the deny rules in this context.

Risk and Exploitability

The CVSS score is 2.3 and the EPSS score is below 1 percent, indicating a low severity and a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires local access or the ability to create a symbolic link in a directory served by Claude Code; thus, the risk is principally for environments where an attacker can place symlinks into the tool’s working folders. Proper deny rule configuration mitigates the risk, but the bug allows bypass regardless of those settings.

Generated by OpenCVE AI on April 16, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Claude Code version 2.1.7 or later to apply the fix that enforces deny rules on symlinks.
  • Ensure that the settings.json file contains the desired deny rules for sensitive files such as /etc/passwd.
  • Scan the tool’s working directories for unintended symlinks pointing to restricted paths and remove or relocate them.

Generated by OpenCVE AI on April 16, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4q92-rfm6-2cqx Claude Code has Permission Deny Bypass Through Symbolic Links
History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
References

Mon, 09 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Code
CPEs cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*
Vendors & Products Anthropic
Anthropic claude Code
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics claude Code
Vendors & Products Anthropics
Anthropics claude Code

Fri, 06 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. This issue has been patched in version 2.1.7.
Title Claude Code Has Permission Deny Bypass Through Symbolic Links
Weaknesses CWE-285
CWE-61
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Code
Anthropics Claude Code
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T21:11:36.820Z

Reserved: 2026-02-05T16:48:00.426Z

Link: CVE-2026-25724

cve-icon Vulnrichment

Updated: 2026-03-27T21:11:36.820Z

cve-icon NVD

Status : Modified

Published: 2026-02-06T18:16:00.037

Modified: 2026-03-27T22:16:20.317

Link: CVE-2026-25724

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:30:26Z

Weaknesses