Local File Inclusion Vulnerability in Claude Code Agent Tool
CVE-2026-35603
5.4MEDIUM
What is CVE-2026-35603?
Claude Code, an agentic coding tool developed by Anthropic, is susceptible to a local file inclusion vulnerability on Windows systems when running versions prior to 2.1.75. The tool improperly loads its configuration settings from a writable directory, allowing low-privileged users to place malicious configuration files. This creates a significant risk in multi-user environments where a victim may unknowingly execute the compromised configuration. It is crucial for users to upgrade to version 2.1.75 or later to mitigate this risk.
Affected Version(s)
claude-code < 2.1.75