Improper access control in Claude Code - CVE-2025-52882
Published: April 30, 2026
Vulnerability identifier: #VU128534
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-52882
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Anthropic
Affected software:
Claude Code
Claude Code
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information and, in limited situations, execute code.
The vulnerability exists due to improper access control in the websocket connection handling of Claude Code IDE extensions when visiting attacker-controlled webpages. A remote attacker can establish an unauthorized websocket connection to disclose sensitive information and, in limited situations, execute code.
User interaction is required to visit an attacker-controlled webpage, and code execution is limited to situations where a Jupyter Notebook is open and a malicious prompt is accepted.
How to mitigate CVE-2025-52882
Install security update from vendor's website.