CVE-2026-24053

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-24053

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24053.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-24053

Aliases

GHSA-q728-gf8j-w49r

Published

2026-02-03T20:49:59.261Z

Modified

2026-02-07T22:22:34.703134Z

Severity

7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Cluade Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes

Details

Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.74.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22",
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24053.json"
}

References

Affected packages

Git / github.com/anthropics/claude-code

Affected ranges

Type: GIT
Repo: https://github.com/anthropics/claude-code
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d213a74fc8e3b6efded52729196e0c2d4c3abb3e

Affected versions

v2.*

v2.0.73

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24053.json"