Main Vulnerability Database Vulnerabilities #VU128517

Path traversal in Claude Code - CVE-2026-24053

Published: April 30, 2026

Vulnerability identifier: #VU128517

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-24053

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Claude Code

Software vendor:
Anthropic

Description

The vulnerability allows a remote attacker to write arbitrary files outside the restricted directory.

The vulnerability exists due to improper limitation of a pathname to a restricted directory in Bash command validation for ZSH clobber syntax when parsing untrusted content in a Claude Code context window. A remote attacker can supply crafted content that bypasses directory restrictions to write arbitrary files outside the restricted directory.

Exploitation requires the user to use ZSH, and untrusted content must be added into a Claude Code context window.

Remediation

Install security update from vendor's website.

External links

https://github.com/anthropics/claude-code/security/advisories/GHSA-q728-gf8j-w49r

Path traversal in Claude Code - CVE-2026-24053

Description

Remediation

External links

Please verify you're human