Main Vulnerability Database Vulnerabilities #VU128517

Path traversal in Claude Code - CVE-2026-24053

Published: April 30, 2026

Vulnerability identifier: #VU128517

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-24053

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Anthropic

Affected software:
Claude Code

Detailed vulnerability description

The vulnerability allows a remote attacker to write arbitrary files outside the restricted directory.

The vulnerability exists due to improper limitation of a pathname to a restricted directory in Bash command validation for ZSH clobber syntax when parsing untrusted content in a Claude Code context window. A remote attacker can supply crafted content that bypasses directory restrictions to write arbitrary files outside the restricted directory.

Exploitation requires the user to use ZSH, and untrusted content must be added into a Claude Code context window.

How to mitigate CVE-2026-24053

Install security update from vendor's website.

Sources

https://github.com/anthropics/claude-code/security/advisories/GHSA-q728-gf8j-w49r

Path traversal in Claude Code - CVE-2026-24053

Detailed vulnerability description

How to mitigate CVE-2026-24053

Sources

Please verify you're human