Main Vulnerability Database Vulnerabilities #VU128534

Improper access control in Claude Code - CVE-2025-52882

Published: April 30, 2026

Vulnerability identifier: #VU128534

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-52882

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Claude Code

Software vendor:
Anthropic

Description

The vulnerability allows a remote attacker to disclose sensitive information and, in limited situations, execute code.

The vulnerability exists due to improper access control in the websocket connection handling of Claude Code IDE extensions when visiting attacker-controlled webpages. A remote attacker can establish an unauthorized websocket connection to disclose sensitive information and, in limited situations, execute code.

User interaction is required to visit an attacker-controlled webpage, and code execution is limited to situations where a Jupyter Notebook is open and a malicious prompt is accepted.

Remediation

Install security update from vendor's website.

External links

https://github.com/anthropics/claude-code/security/advisories/GHSA-9f65-56v6-gxw7

Improper access control in Claude Code - CVE-2025-52882

Description

Remediation

External links

Please verify you're human