{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*",
            "extracted_events": [
              {
                "introduced": "2.1.59"
              },
              {
                "fixed": "2.1.128"
              },
              {
                "introduced": "2.1.58"
              }
            ],
            "source": [
              "AFFECTED_FIELD",
              "CPE_RANGE"
            ]
          },
          "events": [
            {
              "introduced": "d6ab0eafec1692c070a835504b662881649d7112"
            },
            {
              "fixed": "9fce4e6ed16244127de19b1eee02508c6dc2d29e"
            }
          ],
          "repo": "https://github.com/anthropics/claude-code",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-4vp2-6q8c-pvq2"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-200",
      "CWE-377",
      "CWE-59"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46406.json"
  },
  "details": "Claude Code is an agentic coding tool.  From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the /copy command. This vulnerability is fixed in 2.1.128.",
  "id": "CVE-2026-46406",
  "modified": "2026-07-15T01:49:08.399438002Z",
  "published": "2026-06-29T14:03:14.683Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46406.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-4vp2-6q8c-pvq2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46406"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Claude Code: Insecure Temporary File in /copy Command Enables Response Disclosure and Symlink-Based File Write"
}