Primary

Context

Claude Code Deny Rule Bypass Vulnerability via Symbolic Links

Vulnerability

A vulnerability exists in Claude Code prior to version 2.1.7, allowing the tool to bypass deny rules set in the settings.json file when accessing files through symbolic links. Users who denied access to specific files, such as /etc/passwd, could still have those files read by Claude Code if a symbolic link to the file was accessible, all without triggering the deny rule. This issue has been addressed in version 2.1.7.

Impact

Exploitation of this vulnerability could lead to unauthorized access to files that were explicitly denied in the user's settings, potentially allowing sensitive information to be read by Claude Code.

Remediation

Users of Claude Code who have the auto-update feature enabled have already received this fix. Those who update manually should download the latest version.

Added: Feb 6, 2026, 6:26 PM

Updated: Feb 6, 2026, 10:48 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.0

remediation

0.0

relevance

2.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.0

remediation

0.0

relevance

2.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Claude Code Deny Rule Bypass Vulnerability via Symbolic Links

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating