CVE-2026-35603 enables local privilege escalation in Claude Code on Windows
CVE-2026-35603 is a privilege escalation vulnerability (CWE-426 Untrusted Search Path) in Anthropic Claude Code affecting Windows installations prior to version 2.1.75. The tool loaded its system-wide configuration from a user-writable directory without validating ownership or access permissions, allowing a low-privileged local attacker to plant a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. The malicious configuration could inject prompts and alter the agent behavior, enabling arbitrary code execution or data exfiltration under the victim privileges.
Claude Code treated a user-writable directory as a trusted configuration source, letting any local user hijack the agent behavior on a shared Windows machine.
Key facts
- What
- CVE-2026-35603 is a privilege escalation vulnerability (CWE-426 Untrusted Search Path) in Anthropic Claude Code affecting Windows installations prior to version 2.1.75.
- Incident date
- Apr 17, 2026
- Who
- Anthropic
- Failure mode
- Prompt Injection
- AI surface
- Code Assistant
- Severity
- Medium
What happened
CVE-2026-35603 is a privilege escalation vulnerability in Anthropic Claude Code on Windows, where versions prior to 2.1.75 loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. A low-privileged local attacker could create the ClaudeCode subdirectory and place a malicious configuration file that would be automatically loaded when any victim user launched Claude Code on the same machine, enabling the attacker to inject prompts, alter the agent behavior, and execute arbitrary code or exfiltrate data under the victim privileges. The vulnerability was reported by security researcher edbr via HackerOne and was patched in Claude Code version 2.1.75, which added proper directory ownership validation and access permission checks before loading the configuration file.
What broke inside the model
- 01 · TriggerThe model reads retrieved or user-supplied text.
- 02 · Model stepThat text carries hidden instructions.
- 03 · Control gapNothing separates untrusted data from trusted commands.
- 04 · FailureThe injected instruction overrides the operator's.
- 05 · ConsequenceThe system acts on an outsider's intent.
At the injection point, retrieved text overrides the operator's instruction.
Claude Code trusted the contents of C:\ProgramData\ClaudeCode\managed-settings.json without verifying that the directory was owned or access-restricted to administrators. The Windows ProgramData directory is writable by non-administrative users by default, and the ClaudeCode subdirectory was neither pre-created nor protected during installation. This untrusted search path failure meant any local user could plant a configuration file that the application loaded and executed without validation, effectively injecting prompts and hijacking the agent behavior.
What it cost
Sources
- PrimaryInsecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows (GHSA-5cwg-9f6j-9jvx)github.com
- PrimaryCVE-2026-35603 Detail (NVD)nvd.nist.gov
- PressCVE-2026-35603: Claude Code Privilege Escalation Flaw (SentinelOne)sentinelone.com
Cite this entry
https://failureindex.ai/failures/cve-2026-35603-enables-local-privilegeAI Failure Index. "CVE-2026-35603 enables local privilege escalation in Claude Code on Windows" (FI-0170). Realm Labs. https://failureindex.ai/failures/cve-2026-35603-enables-local-privilege (indexed Jun 4, 2026).Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0170. Full dataset at /data.
Note from Realm Labs, the Index steward
How Realm would have caught this
- Prism
- OmniGuard
Realm inspects the model's internal state for the signature of instructions arriving through the data channel, so an injected command can be flagged and blocked inline before the model acts on it, instead of trusting a classifier that scores the input as safe.