CVE-2026-46406
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
Claude Code versions 2.1.59 through 2.1.128 write responses from the /copy command to /tmp/claude/response.md without UID isolation, randomness, or symlink protection. The file is created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which may contain secrets or credentials.
Risk Assessment
A local unprivileged attacker can read Claude responses containing secrets or credentials, and by pre-creating a symlink at the predictable path, can cause overwriting of an arbitrary file on the system.
Recommendation
Upgrade Claude Code to version 2.1.128 or later, which fixes this vulnerability.
Original NVD description (English source)
Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the /copy command. This vulnerability is fixed in 2.1.128.

