Main Vulnerability Database SB2026043036

SB2026043036 - Path traversal in Claude Code

Published: April 30, 2026

Security Bulletin ID SB2026043036

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2026-24053)

The vulnerability allows a remote attacker to write arbitrary files outside the restricted directory.

The vulnerability exists due to improper limitation of a pathname to a restricted directory in Bash command validation for ZSH clobber syntax when parsing untrusted content in a Claude Code context window. A remote attacker can supply crafted content that bypasses directory restrictions to write arbitrary files outside the restricted directory.

Exploitation requires the user to use ZSH, and untrusted content must be added into a Claude Code context window.

Remediation

Install update from vendor's website.

References

https://github.com/anthropics/claude-code/security/advisories/GHSA-q728-gf8j-w49r