{"data":{"id":"69819982-f844-4214-abdc-f63d787a54aa","title":"GHSA-5cwg-9f6j-9jvx: Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows","summary":"Claude Code on Windows had a security flaw where it loaded configuration files from a shared system directory without checking who owned that directory or had permission to change it. Since regular users could write to this directory by default, an attacker could create a malicious configuration file that would run with elevated privileges when another user launched Claude Code, allowing a local privilege escalation (unauthorized access to higher-level permissions).","solution":"Users on standard Claude Code auto-update have already received this fix. Users performing manual updates are advised to update to the latest version.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-5cwg-9f6j-9jvx","publishedAt":"2026-04-17T22:19:38.000Z","cveId":"CVE-2026-35603","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["@anthropic-ai/claude-code@< 2.1.75 (fixed: 2.1.75)"],"affectedVendors":["Anthropic"],"affectedVendorsRaw":["Claude Code","Anthropic"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-17T22:19:38.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0010"]}}