Description
Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the /copy command. This vulnerability is fixed in 2.1.128.
Published: 2026-06-29
Score: 4.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the use of an insecure, hard‑coded temporary file by the /copy command that writes Claude response content to /tmp/claude/response.md. The file is world readable and the directory is world traversable, which allows a local unprivileged user to read data produced by a privileged user, potentially exposing secrets or credentials. Moreover, the predictable file path permits a symlink attack: an attacker can pre‑create a symlink at the expected location so that the privileged process will overwrite an arbitrary file chosen by the attacker with the response text.

Affected Systems

The product is Anthropic’s Claude Code. Versions from 2.1.59 up to and including 2.1.127 are affected. The issue is fixed in version 2.1.128.

Risk and Exploitability

The CVSS score of 4.4 places the vulnerability in the low‑to‑medium range. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires both a local unprivileged user and a privileged user to execute the /copy command; the file permissions and directory layout allow an attacker to read privileged output or to overwrite another file through a symlink. The risk to an organization depends on the presence of privileged processes and the exposure of /tmp. Updating to the fixed version mitigates the issue and removes the possibility of local disclosure or arbitrary file write.

Generated by OpenCVE AI on June 29, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Claude Code to version 2.1.128 or later.
  • If upgrade is not feasible, restrict access to the /tmp/claude directory by changing its permissions to non‑world‑readable (e.g., 0700) and removing the world‑readable flag from response.md (e.g., 0600).
  • Limit the privileges of users who may invoke the /copy command or disable the command entirely if it is not required for your workflow.

Generated by OpenCVE AI on June 29, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4vp2-6q8c-pvq2 @anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write
History

Mon, 29 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the /copy command. This vulnerability is fixed in 2.1.128.
Title Claude Code: Insecure Temporary File in /copy Command Enables Response Disclosure and Symlink-Based File Write
Weaknesses CWE-200
CWE-377
CWE-59
References
Metrics cvssV4_0

{'score': 4.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-29T15:26:11.153Z

Reserved: 2026-05-13T21:04:10.932Z

Link: CVE-2026-46406

cve-icon Vulnrichment

Updated: 2026-06-29T15:25:57.936Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T16:30:17Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-377

    Insecure Temporary File

  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')