{"id":"GHSA-5cwg-9f6j-9jvx","summary":"Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows","details":"On Windows, Claude Code loaded system-wide default configuration from `C:\\ProgramData\\ClaudeCode\\managed-settings.json` without validating directory ownership or access permissions. Because the `ProgramData` directory is writable by non-administrative users by default and the `ClaudeCode` subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed.\n\nUsers on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.\n\nThank you to hackerone.com/edbr for reporting this issue.","aliases":["CVE-2026-35603"],"modified":"2026-05-05T16:04:01.752628Z","published":"2026-04-17T22:19:38Z","database_specific":{"severity":"MODERATE","github_reviewed":true,"github_reviewed_at":"2026-04-17T22:19:38Z","nvd_published_at":"2026-04-17T21:16:33Z","cwe_ids":["CWE-426"]},"references":[{"type":"WEB","url":"https://github.com/anthropics/claude-code/security/advisories/GHSA-5cwg-9f6j-9jvx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35603"},{"type":"PACKAGE","url":"https://github.com/anthropics/claude-code"}],"affected":[{"package":{"name":"@anthropic-ai/claude-code","ecosystem":"npm","purl":"pkg:npm/%40anthropic-ai/claude-code"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.1.75"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-5cwg-9f6j-9jvx/GHSA-5cwg-9f6j-9jvx.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}