Claude Code Windows Local Privilege Escalation via Untrusted ProgramData Search Path (CVE-2026-35603)

At a glance

• The issue: On Windows, Claude Code reads a config file from C:\ProgramData\ClaudeCode\ — a folder that any local user can write to. A non-admin user on a shared Windows machine can plant a malicious managed-settings.json that everyone else's Claude Code session then loads automatically.
• Who's affected: Multi-user Windows hosts running @anthropic-ai/claude-code before version 2.1.75.
• What to do now: Upgrade @anthropic-ai/claude-code to 2.1.75 (or newer) on every Windows host where multiple accounts run the CLI.

Executive Summary

Anthropic's Claude Code CLI (@anthropic-ai/claude-code) before version 2.1.75 loads a system-wide configuration file from C:\ProgramData\ClaudeCode\managed-settings.json on Windows without validating the ownership or access-control state of the containing directory (GHSA-5cwg-9f6j-9jvx). Because ProgramData is writable by non-administrative users by default on Windows, and the ClaudeCode subdirectory was not pre-created with restrictive permissions, a low-privileged local user on a shared Windows host can place a malicious managed-settings.json that is loaded automatically for any subsequent user launching Claude Code on the same machine (GHSA-5cwg-9f6j-9jvx). The "privilege" gained is over the victim's subsequent Claude Code agent-session trust context, governance levers exposed by the managed-settings mechanism, not a transition to SYSTEM or Administrator on the host (RAXE assessment of the vulnerability's practical effect). The issue is tracked as CVE-2026-35603 with CWE-426 Untrusted Search Path; NVD completed analysis on 2026-04-22 and assigned CVSS 3.1 Primary 7.3 HIGH (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), while the GitHub CNA's CVSS 4.0 Secondary is 5.4 MEDIUM, RAXE uses the NVD 3.1 Primary as the headline severity (GHSA-5cwg-9f6j-9jvx; NVD). Anthropic patched the issue in 2.1.75, published to npm on 2026-03-13, approximately 40 hours after 2.1.74 on 2026-03-11 (npm registry).

Risk Rating

Affected Products

Am I affected?

• Platform check: only Windows installations are affected (GHSA-5cwg-9f6j-9jvx states "Windows-only"). Linux and macOS installations are not in scope.
• Version check: run npm list -g @anthropic-ai/claude-code or claude-code --version. Versions < 2.1.75 are affected.
• Multi-user check: single-user developer laptops are not at material risk from this advisory. Hosts in scope: Citrix/RDS/VDI farms with Claude Code pre-installed, Windows Server installations with automation accounts, developer VMs with multiple service accounts.

Abstract

CVE-2026-35603 is an untrusted-search-path vulnerability (CWE-426) in @anthropic-ai/claude-code versions before 2.1.75 on Windows (NVD; GHSA-5cwg-9f6j-9jvx). Claude Code loads a system-wide managed-settings.json from C:\ProgramData\ClaudeCode\. The default Windows ACL on C:\ProgramData\ grants write access to non-administrative users; the pre-patch Claude Code installer did not pre-create the ClaudeCode subdirectory with elevated permissions, and the config loader did not validate the ownership of managed-settings.json before loading it (GHSA-5cwg-9f6j-9jvx). A low-privileged local user on a shared Windows host can therefore place a poisoned config that governs a subsequent user's Claude Code session; RAXE's reading of Claude Code's publicly-documented managed-settings feature is that a poisoned file can influence auto-approval policies, permitted MCP servers, and environment-level controls for that session (RAXE assessment, based on the public managed-settings schema). The advisory itself describes the exposed surface as "system-wide default configuration" without enumerating specific levers. NVD completed analysis on 2026-04-22 and assigned CVSS 3.1 Primary 7.3 HIGH with vector AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H; the GitHub CNA's CVSS 4.0 Secondary score is 5.4 MEDIUM (NVD). Anthropic published @anthropic-ai/claude-code 2.1.75 on 2026-03-13, approximately 40 hours after 2.1.74; users on the default auto-update channel have already received the fix (GHSA-5cwg-9f6j-9jvx; npm registry).

Key Findings

1. The attack primitive is a file write, not a memory-corruption or privilege-transition bug. An attacker logged in as a standard-user on a shared Windows host simply writes C:\ProgramData\ClaudeCode\managed-settings.json with attacker-chosen contents (GHSA-5cwg-9f6j-9jvx).
2. The config controls agent behaviour, not just UI chrome (RAXE assessment of the managed-settings feature). Based on Claude Code's public managed-settings documentation, the file schema includes auto-approval rules for tool calls, permitted MCP servers, environment variables, and policy-level controls; a poisoned config can therefore silently change which servers the victim's agent contacts and which prompts it auto-approves. The GHSA advisory itself describes the surface as "system-wide default configuration" without enumerating fields; the attack-impact characterisation in this publication is RAXE's reading of the feature's documented schema, not an advisory quote.
3. Two user sessions are required. User A writes the poisoned config; user B is the victim, loading it when they launch Claude Code. The attack is therefore specifically a shared-host LPE, not a single-user desktop compromise (GHSA-5cwg-9f6j-9jvx).
4. Auto-update is the primary distribution path for the fix. Anthropic's advisory states users on standard auto-update have already received 2.1.75; the remaining at-risk population is manual-update installations (GHSA-5cwg-9f6j-9jvx).
5. NVD completed analysis on 2026-04-22. CVE-2026-35603 now carries status Analyzed with an NVD CVSS 3.1 Primary score of 7.3 HIGH alongside the CVSS 4.0 Secondary 5.4 MEDIUM from the GitHub CNA. The two scores use different CVSS versions (3.1 vs 4.0) and different impact metrics, see the CVSS section for the divergence discussion (NVD).

Attack Flow

Vulnerable: @anthropic-ai/claude-code < 2.1.75 on Windows, multi-user host

Step 1 (attacker — low-priv local user):
  WRITE C:\ProgramData\ClaudeCode\managed-settings.json
  contents = attacker-chosen managed settings (auto-approve policies,
             MCP server list, env vars, etc.)

Step 2 (victim — different user, same host):
  LAUNCH claude-code
  claude-code → reads C:\ProgramData\ClaudeCode\managed-settings.json
             → session governed by attacker-controlled settings
             → agent decisions (tool calls, MCP connections) now
               reflect the attacker's intent, not the victim's

Result: agent session for user B runs under user A's configuration.
        No crash, no privilege transition, no elevation prompt.

Technical Details

Root cause

Two pre-patch design decisions combined to produce the vulnerability (GHSA-5cwg-9f6j-9jvx):

1. The ClaudeCode subdirectory under C:\ProgramData\ was not pre-created with restrictive permissions. On a stock Windows host, C:\ProgramData\ itself is writable by BUILTIN\Users; subdirectories created by an installer inherit the parent ACL unless explicitly locked down. Microsoft's guidance for applications using %ProgramData% is to either create the subdirectory during elevated install with administrator-only write, or to validate ownership at load time.
2. The config loader did not validate file ownership or write ACL before reading managed-settings.json. It treated any file at the canonical path as authoritative.

Either mitigation alone would have closed the issue; the absence of both is what made the primitive reachable from an unprivileged local session.

Attack mechanics

A standard-user logon on the host creates or overwrites C:\ProgramData\ClaudeCode\managed-settings.json. The next Claude Code invocation on the host, by any user, loads that file. Because managed-settings.json is, by RAXE's reading of the public managed-settings documentation, the channel through which enterprise administrators push centrally-governed Claude Code policy (auto-approve patterns, permitted MCP endpoints, environment variable injection, and deployment constraints), the attacker's file silently substitutes their policy for the legitimate administrator's (RAXE assessment based on the managed-settings feature documentation; the GHSA advisory itself refers to the file only as "system-wide default configuration").

The attacker does not need code execution capability beyond "create a file." The attack does not require kernel-level privilege, SYSTEM-account access, or network reachability. It does require a second user to subsequently launch Claude Code on the same host.

CVSS and severity

Vector notes, the combination AV:L/PR:L/UI:P/AT:P encodes the full prerequisite chain: local attack vector, low-privileged local user, passive user interaction (victim must launch Claude Code), and an environmental precondition (multi-user host). VC:H/VI:H/VA:H reflects that once exploited, the attacker fully controls the victim's agent session for its duration.

NVD status: Analyzed (analysis completed 2026-04-22). NVD has assigned a Primary CVSS 3.1 score of 7.3 HIGH with vector AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The CVSS 4.0 score from the GitHub CNA remains in the record as a Secondary entry at 5.4 MEDIUM.

Score divergence note: The NVD CVSS 3.1 Primary (7.3 HIGH) and the CNA CVSS 4.0 Secondary (5.4 MEDIUM) use different scoring systems and are not directly comparable. CVSS 4.0's AT:P (Attack Requirements: Present) encodes the multi-user-host precondition in a way CVSS 3.1 does not, which contributes to the apparent score gap. RAXE publication convention is to treat NVD Primary as the reference severity; practitioners should read both scores together.

Patch

@anthropic-ai/claude-code@2.1.75 published to npm on 2026-03-13T15:51:07.443Z; the prior release 2.1.74 was published on 2026-03-11T23:31:27.307Z (npm registry, queried 2026-04-20). The advisory states users on auto-update have already received the fix; the remaining exposure is installations on manual update cadences (GHSA-5cwg-9f6j-9jvx).

The advisory does not detail the fix mechanism. RAXE's KAC 3 assumption is that 2.1.75 adds validation at load time, most likely ownership or ACL checks on C:\ProgramData\ClaudeCode\managed-settings.json before reading it (see the brief's KAC list). C:\ProgramData\ClaudeCode\managed-settings.json remains the supported enterprise managed-settings path per Anthropic's current documentation; the 2.1.75 fix hardens the read path rather than migrating to a new location (Anthropic managed-settings docs; RAXE assessment). Defence-in-depth remediation, tightening the directory ACL to Administrators: Full Control, Users: Read & Execute, should be performed on shared hosts regardless of patch level.

Confidence & Validation

Assessment Confidence: High

Detection Signatures

Full Sigma rules published in the finding directory as detection/claude-code-programdata-lpe.yml:

• Claude Code ProgramData managed-settings.json Written by Non-Privileged Process, Sysmon Event ID 11 (file creation) on the canonical path by any process that is not SYSTEM or the Claude Code installer. High-fidelity pre-exploit signal on affected hosts.
• Claude Code Launched After managed-settings.json Write On Same Host, Sigma correlation rule. The portable rule joins the ProgramData write and later Claude Code launch on the same host within 24 hours; implement the "different writer and launcher users" suppression in the target SIEM/EDR backend.
• Claude Code ProgramData Directory ACL Weakness (Defence-in-Depth), backend-specific audit guidance for flagging any C:\ProgramData\ClaudeCode\ directory with write access granted to BUILTIN\Users, Everyone, or Authenticated Users. The directory is the supported enterprise managed-settings path; the rule catches pre-patch exposure and install regressions regardless of patch version, but field names and access-mask normalization must be adapted to the target Windows telemetry source.

Detection & Mitigation

Priority 1, inventory and patch. Identify Windows hosts running @anthropic-ai/claude-code, filter to those on < 2.1.75, and push updates. Single-user developer laptops can be deprioritised; shared-host environments are the focus.

Priority 2, harden the ProgramData directory ACL. On all Windows hosts with Claude Code installed, set the ACL on C:\ProgramData\ClaudeCode\ to grant write access only to Administrators and SYSTEM. C:\ProgramData\ClaudeCode\managed-settings.json is the supported enterprise managed-settings path per Anthropic's current documentation, the ACL hardening is defence-in-depth layered on top of the 2.1.75 ownership-validation fix, not a migration away from the path (Anthropic managed-settings docs; RAXE assessment).

Priority 3, correlate EDR telemetry. Deploy the Sigma rules referenced above to Windows EDR platforms (Defender for Endpoint, Sentinel, third-party). The file-creation rule is the highest-fidelity pre-exploit signal and produces essentially zero false positives on correctly-patched hosts.

Priority 4, credential rotation on confirmed-exposed hosts. Rotate credentials when telemetry shows an untrusted write to C:\ProgramData\ClaudeCode\managed-settings.json, weak directory ACLs combined with a suspicious write-then-launch correlation, or other evidence that a victim session loaded attacker-controlled managed settings. Running < 2.1.75 on a shared host is exposure, not proof of compromise.

Priority 5, access-review shared hosts. RDS/Citrix/VDI environments routinely grant local-logon rights to a wider population than strictly necessary; use this advisory as a prompt to review which users can interactively log on to Claude-Code-bearing hosts.

Indicators of Compromise

No file-hash IoCs are available, the attack payload is user-provided JSON, not a fixed artefact (RAXE assessment).

Strategic Context

This finding paired with other agentic-CLI configuration-loading issues published in the same reporting cycle, notably parallel coverage of the OpenAI Codex CLI's auto-loaded MCP configuration, defines a class: agentic CLIs that load configuration from attacker-influenceable paths without provenance validation. The two cases differ in attacker model, repository-scoped config for Codex, host-scoped config for Claude Code, but share the underlying design flaw.

For security vendors building EDR or developer-workstation detection content, two evergreen rules should be added to the standard set for any agentic CLI shipping a managed-settings feature:

1. File-creation monitor on the CLI's system-wide configuration path by non-privileged, non-installer processes.
2. Schema-integrity monitor on any managed-settings or policy file the CLI loads, compare to a cryptographically-signed or admin-signed baseline where the CLI supports it.

For enterprise defenders, the Windows-specific shape of this vulnerability is a reminder that agentic tooling is not confined to developer laptops, Citrix/RDS/VDI and Windows Server installations of agentic CLIs are meaningfully in-scope, and benefit from the same hardening that enterprise Windows baselines already apply to other %ProgramData%-dwelling applications (RAXE assessment).

Anthropic's response, approximately 40 hours from the last vulnerable release (2.1.74 on 2026-03-11T23:31 UTC) to the fix release (2.1.75 on 2026-03-13T15:51 UTC) on npm, is a fast coordinated-disclosure-to-fix window in absolute terms (RAXE assessment based on the verified npm publish timestamps).

References

1. GHSA-5cwg-9f6j-9jvx, Claude Code insecure system-wide configuration loading (Windows LPE), https://github.com/anthropics/claude-code/security/advisories/GHSA-5cwg-9f6j-9jvx (accessed 2026-04-20; published 2026-04-17).
2. NVD, CVE-2026-35603, https://nvd.nist.gov/vuln/detail/CVE-2026-35603 (accessed 2026-04-23; status Analyzed, NVD analysis completed 2026-04-22; NVD CVSS 3.1 Primary 7.3 HIGH).
3. npm registry, @anthropic-ai/claude-code 2.1.75 manifest, https://registry.npmjs.org/@anthropic-ai/claude-code/2.1.75 (publish time 2026-03-13T15:51:07.443Z, verified 2026-04-20).
4. FIRST.org EPSS, CVE-2026-35603, https://api.first.org/data/v1/epss?cve=CVE-2026-35603 (0.00012, 1.5th percentile, 2026-04-20).