Vulnerabilities ›

CVE-2026-35603

High

CWE-426 — Weakness Type

                    Published: Apr 17, 2026                      ·  Modified: Apr 24, 2026                      ·  Source: NVD                

CVSS v3

7.3

🔗 NVD Official

📄 Description (English)

Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed. This issue has been fixed on version 2.1.75.

🤖 AI Executive Summary

Claude Code versions prior to 2.1.75 on Windows contain a privilege escalation vulnerability (CVE-2026-35603) where low-privileged users can create malicious configuration files in the ProgramData directory that are automatically loaded by other users. This affects shared multi-user Windows systems commonly found in Saudi corporate environments. The vulnerability requires local access and user interaction but could enable unauthorized code execution with elevated privileges.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 5, 2026 22:17

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi organizations with shared development workstations, particularly in: (1) Technology and software development companies using Claude Code for AI-assisted development; (2) Government IT departments and research institutions utilizing Claude Code on shared systems; (3) Financial services firms (SAMA-regulated banks) with development teams; (4) Telecommunications companies (STC, Mobily) with shared development infrastructure; (5) Energy sector (ARAMCO, SABIC) research and development teams. The risk is elevated in organizations with inadequate endpoint security controls and multi-user Windows systems common in Saudi corporate environments.

🏢 Affected Saudi Sectors

Technology and Software Development Government and Public Administration Banking and Financial Services Telecommunications Energy and Utilities Research and Development Higher Education

🎯 MITRE ATT&CK Techniques

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.014 - Boot or Logon Autostart Execution: Active Setup T1574.010 - Hijack Execution Flow: Services Registry Permissions Weakness T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control T1547.010 - Boot or Logon Autostart Execution: Port Monitors T1543.001 - Create or Modify System Process: Windows Service T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking

⚖️ Saudi Risk Score (AI)

6.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all Claude Code installations across the organization using endpoint detection tools

2. Audit C:\ProgramData\ClaudeCode directory permissions on all Windows systems

3. Review access logs for unauthorized configuration file creation

4. Isolate affected shared systems if suspicious configuration files are detected

Patching Guidance:

1. Upgrade Claude Code to version 2.1.75 or later immediately on all systems

2. Implement automated patch management for Claude Code updates

3. Restrict ProgramData directory permissions to prevent non-administrative users from creating subdirectories

4. Pre-create C:\ProgramData\ClaudeCode with restricted permissions (Administrators only)

Compensating Controls (if immediate patching not possible):

1. Disable Claude Code on shared multi-user systems until patched

2. Implement application whitelisting to prevent unauthorized Claude Code execution

3. Monitor ProgramData directory for unauthorized file creation using File Integrity Monitoring (FIM)

4. Restrict local user account privileges where possible

5. Implement Windows AppLocker policies to control Claude Code execution

Detection Rules:

1. Monitor for file creation in C:\ProgramData\ClaudeCode by non-administrative users

2. Alert on modifications to managed-settings.json outside of official Claude Code updates

3. Track Claude Code process execution with suspicious parent processes

4. Monitor for privilege escalation attempts following Claude Code execution

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع تثبيتات Claude Code عبر المنظمة باستخدام أدوات كشف نقاط النهاية

2. تدقيق أذونات مجلد C:\ProgramData\ClaudeCode على جميع أنظمة Windows

3. مراجعة سجلات الوصول لإنشاء ملفات إعدادات غير مصرح بها

4. عزل الأنظمة المشتركة المتأثرة إذا تم اكتشاف ملفات إعدادات مريبة

إرشادات التصحيح:

1. ترقية Claude Code إلى الإصدار 2.1.75 أو أحدث فوراً على جميع الأنظمة

2. تنفيذ إدارة التصحيحات الآلية لتحديثات Claude Code

3. تقييد أذونات مجلد ProgramData لمنع المستخدمين غير الإداريين من إنشاء مجلدات فرعية

4. إنشاء مسبق لـ C:\ProgramData\ClaudeCode بأذونات مقيدة (المسؤولون فقط)

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تعطيل Claude Code على الأنظمة المشتركة متعددة المستخدمين حتى يتم تصحيحها

2. تنفيذ قائمة بيضاء للتطبيقات لمنع تنفيذ Claude Code غير المصرح به

3. مراقبة مجلد ProgramData للكشف عن إنشاء ملفات غير مصرح بها باستخدام مراقبة سلامة الملفات

4. تقييد امتيازات حسابات المستخدمين المحليين حيثما أمكن

5. تنفيذ سياسات Windows AppLocker للتحكم في تنفيذ Claude Code

قواعد الكشف:

1. مراقبة إنشاء الملفات في C:\ProgramData\ClaudeCode من قبل المستخدمين غير الإداريين

2. التنبيه على التعديلات على managed-settings.json خارج تحديثات Claude Code الرسمية

3. تتبع تنفيذ عملية Claude Code مع العمليات الأب المريبة

4. مراقبة محاولات تصعيد الامتيازات بعد تنفيذ Claude Code

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policy (inadequate directory permission controls) ECC 2024 A.5.2.1 - User Registration and Access Rights (privilege escalation) ECC 2024 A.5.3.1 - Management of Privileged Access Rights (local privilege escalation) ECC 2024 A.8.1.1 - User Endpoint Devices (shared system security)

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Asset Management (inventory of Claude Code installations) SAMA CSF PR.AC-1 - Access Control (directory permissions and privilege management) SAMA CSF PR.AC-4 - Access Rights (principle of least privilege violation) SAMA CSF DE.CM-1 - Detection and Analysis (monitoring for unauthorized configuration changes)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.2 - User Access Management (inadequate access controls) ISO 27001:2022 A.5.3 - Privileged Access Rights (privilege escalation vulnerability) ISO 27001:2022 A.8.1 - User Endpoint Devices (endpoint security controls) ISO 27001:2022 A.8.3 - Removable Media (configuration file integrity)

🔗 References & Sources 1

🔗

https://github.com/anthropics/claude-code/security/advisories/GHSA-5cwg-9f6j-9jvx

security-advisories@github.com

Vendor Advisory

📦 Affected Products / CPE 1 entries

anthropic:claude_code

📊 CVSS Score

7.3

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionR — Required

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.3

CWECWE-426

EPSS0.01%

Exploit No

Patch ✗ No

Published 2026-04-17

Source Feed nvd

🇸🇦 Saudi Risk Score

6.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-426

🏢 Vendor Advisories

🔗 https://github.com/anthropics/claude-code/security/a...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-35603

💬 Comments

Introduce Yourself

Sign In Required