What happened
CVE-2026-46406 (CVSS 6.1 Medium) affects Claude Code versions 2.1.59 through 2.1.127. The /copy command wrote AI responses to a hardcoded predictable path (/tmp/claude/response.md) with world-readable permissions (0644) in a world-traversable directory (0755), without UID isolation, randomness, or symlink protection. Any local unprivileged user can (1) passively read the file to obtain secrets in a privileged user's Claude session, or (2) pre-create a symlink at the path to cause the privileged Claude Code process to overwrite an attacker-chosen file with response content. Published 2026-06-29.
Why it matters
In AI/agentic developer workflows, Claude Code sessions frequently contain API keys, infrastructure secrets, database credentials, and proprietary code. In multi-user development environments, CI runners, and containerised AI pipelines where multiple processes share /tmp, the symlink attack allows any co-tenant to corrupt critical files (shell profile, infrastructure config, deployment scripts) with AI-generated content.
Attack vector
Local unprivileged attacker pre-creates /tmp/claude/response.md as a symlink to a target file (e.g., ~/.bashrc, a Terraform config). When a privileged user runs the /copy command in Claude Code, the process follows the symlink and overwrites the target with AI response content.
Affected systems
@anthropic-ai/claude-code 2.1.59 – 2.1.127
Mitigation
Update @anthropic-ai/claude-code to version 2.1.128 or later. Users on auto-update already received this fix. Advisory: GHSA-4vp2-6q8c-pvq2.