{"id":"CVE-2026-46406","summary":"Claude Code: Insecure Temporary File in /copy Command Enables Response Disclosure and Symlink-Based File Write","details":"Claude Code is an agentic coding tool.  From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the /copy command. This vulnerability is fixed in 2.1.128.","aliases":["GHSA-4vp2-6q8c-pvq2"],"modified":"2026-07-15T01:49:08.399438002Z","published":"2026-06-29T14:03:14.683Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-200","CWE-377","CWE-59"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46406.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46406.json"},{"type":"ADVISORY","url":"https://github.com/anthropics/claude-code/security/advisories/GHSA-4vp2-6q8c-pvq2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46406"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/anthropics/claude-code","events":[{"introduced":"d6ab0eafec1692c070a835504b662881649d7112"},{"fixed":"9fce4e6ed16244127de19b1eee02508c6dc2d29e"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE"],"cpe":"cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"2.1.59"},{"fixed":"2.1.128"},{"introduced":"2.1.58"}]}}],"versions":["v2.1.126","v2.1.123","v2.1.122","v2.1.121","v2.1.120","v2.1.119","v2.1.118","v2.1.117","v2.1.116","v2.1.114","v2.1.113","v2.1.112","v2.1.111","v2.1.110","v2.1.109","v2.1.108","v2.1.107","v2.1.105","v2.1.104","v2.1.101","v2.1.98","v2.1.100","v2.1.97","v2.1.96","v2.1.94","v2.1.92","v2.1.91","v2.1.90","v2.1.89","v2.1.88","v2.1.87","v2.1.86","v2.1.85","v2.1.84","v2.1.83","v2.1.81","v2.1.80","v2.1.79","v2.1.78","v2.1.77","v2.1.76","v2.1.75","v2.1.74","v2.1.73","v2.1.72","v2.1.71","v2.1.70","v2.1.69","v2.1.68","v2.1.66","v2.1.63","v2.1.62","v2.1.61","v2.1.59"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46406.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"}]}