Description
Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed. This issue has been fixed on version 2.1.75.
Published: 2026-04-17
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

Claude Code versions earlier than 2.1.75 on Windows automatically load a system‑wide configuration file from C:\ProgramData\ClaudeCode\managed-settings.json without verifying the owner or permissions of the directory or file. This flaw, mapped to CWE‑426, allows a local user with standard privileges to add or replace that configuration file. When a victim subsequently launches Claude Code, the malicious configuration file is automatically parsed, which can grant the attacker elevated privileges or enable further exploitation within the application. The vulnerability can compromise confidentiality, integrity, and availability of the local system for the affected account.

Affected Systems

Anthropic’s Claude Code running on Windows machines with a shared multi‑user environment. Versions prior to 2.1.75 are vulnerable; the issue has been fixed starting with 2.1.75. The vulnerability stems from the default path C:\ProgramData\ClaudeCode, which exists or may be created by non‑administrative users.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. EPSS data is not available, so the current likelihood of exploitation is unclear, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack scenario requires a user who shares a Windows machine and can write to the ProgramData directory to drop a crafted configuration file. The victim user must then launch Claude Code after the malicious file is in place. This chain of events suggests that exploitation is feasible on a shared workstation or workstation with multiple local accounts.

Generated by OpenCVE AI on April 18, 2026 at 08:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Claude Code to version 2.1.75 or later, which corrects the insecure configuration loading behavior.
  • Configure Windows permissions so that C:\ProgramData\ClaudeCode is writable only by administrators, preventing standard users from creating or modifying the managed-settings.json file.
  • Remove any existing managed-settings.json files from the directory and audit the file and parent directory for unexpected contents after the upgrade to ensure no residual malicious configurations remain.

Generated by OpenCVE AI on April 18, 2026 at 08:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5cwg-9f6j-9jvx Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows
History

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Code
Microsoft
Microsoft windows
CPEs cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Anthropic
Anthropic claude Code
Microsoft
Microsoft windows
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics claude Code
Vendors & Products Anthropics
Anthropics claude Code

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed. This issue has been fixed on version 2.1.75.
Title Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows
Weaknesses CWE-426
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Code
Anthropics Claude Code
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T14:57:47.669Z

Reserved: 2026-04-03T21:25:12.162Z

Link: CVE-2026-35603

cve-icon Vulnrichment

Updated: 2026-04-20T14:52:28.455Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T21:16:33.507

Modified: 2026-04-22T18:45:11.723

Link: CVE-2026-35603

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses