Main Vulnerability Database SB2026043047

SB2026043047 - Code Injection in Claude Code

Published: April 30, 2026

Security Bulletin ID SB2026043047

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Code Injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in the startup trust warning mechanism when a user starts Claude Code in a new directory and approves the trust prompt. A remote attacker can place executable files in the folder to execute arbitrary code.

User interaction is required to approve the trust prompt.

Remediation

Install update from vendor's website.

References

https://github.com/anthropics/claude-code/security/advisories/GHSA-ph6w-f82w-28w6