Vulnerability  ·  2026-07-01

Claude Code /copy Command — Insecure Temporary File Enables Response Disclosure and Symlink File-Write (CVE-2026-46406)

VulnerabilityMedium impactGlobalCVE-2026-46406
CVE-2026-46406 (CVSS 6.1 Medium) affects Claude Code versions 2.1.59 through 2.1.127. The /copy command wrote AI responses to a hardcoded predictable path (/tmp/claude/response.md) with world-readable permissions (0644) in a world-traversable directory (0755), without UID isolation, randomness, or symlink protection. Any local unprivileged user can (1) passively read the file to obtain secrets in a privileged user's Claude session, or (2) pre-create a symlink at the path to cause the privileged Claude Code process to overwrite an attacker-chosen file with response content. Published 2026-06-29.
In AI/agentic developer workflows, Claude Code sessions frequently contain API keys, infrastructure secrets, database credentials, and proprietary code. In multi-user development environments, CI runners, and containerised AI pipelines where multiple processes share /tmp, the symlink attack allows any co-tenant to corrupt critical files (shell profile, infrastructure config, deployment scripts) with AI-generated content.
Local unprivileged attacker pre-creates /tmp/claude/response.md as a symlink to a target file (e.g., ~/.bashrc, a Terraform config). When a privileged user runs the /copy command in Claude Code, the process follows the symlink and overwrites the target with AI response content.
@anthropic-ai/claude-code 2.1.59 – 2.1.127
Update @anthropic-ai/claude-code to version 2.1.128 or later. Users on auto-update already received this fix. Advisory: GHSA-4vp2-6q8c-pvq2.
Sources
GitLab Advisory Database — CVE-2026-46406NVD CVE-2026-46406
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →