The Ledger
Claude Code, Anthropic's AI-powered coding assistant, has accumulated 28 CVEs in approximately one year of existence. Two are rated CVSS 10.0 — a perfect severity score. Four more are rated 9.1 or higher. The tool that developers use to find and fix security vulnerabilities has become a vulnerability class of its own.
For context, Hugo — a static site generator used by thousands of production sites — has zero CVEs. HTMX has zero critical CVEs. Next.js, which now leads the Tranco top 10,000 by market share, has fewer than 50 total. Claude Code reached 28 in its first year. The attack surface is not proportional to the tool's age. It is proportional to the trust model the tool demands.
CVE-2026-46406: The Predictable Path
The most recent entry, CVE-2026-46406, is deceptively simple. Claude Code's /copy command wrote responses to a hardcoded path: /tmp/claude/response.md. The file had world-readable permissions in a traversable directory. Any local user on a shared machine could read every secret, API key, and code snippet that a developer copied through Claude Code. Worse, the static path enabled symlink attacks — an attacker could create a symlink at that location pointing to any file on disk, and Claude Code would overwrite it.
The vulnerability affected versions 2.1.59 through 2.1.127 and was classified under three CWEs: improper link resolution (CWE-59), sensitive information exposure (CWE-200), and insecure temporary file handling (CWE-377). NVD assigned it CVSS 6.1 — medium severity. GitHub's CVSS 4.0 assessment rated it 4.4. It was patched in version 2.1.128, published June 29, 2026.
The Critical Pair
Two Claude Code vulnerabilities reached the maximum CVSS score of 10.0. CVE-2026-39861 was a symlink-based sandbox escape: sandboxed processes could create symbolic links referencing locations outside the workspace, bypassing filesystem restrictions entirely and triggering arbitrary file writes. CVE-2026-25725 allowed attackers to bypass settings.json protection in the sandbox, effectively disabling the security model from inside it.
The remaining high-severity entries read like a tutorial on what can go wrong when an AI agent has filesystem and shell access. CVE-2026-25722 (CVSS 9.1): directory change bypass with write protection. CVE-2025-66032 (CVSS 9.8): shell command parsing allows arbitrary execution. CVE-2025-64755 (CVSS 9.8): sed command parsing enables file write bypass. CVE-2025-59828 (CVSS 9.8): yarn plugin auto-execution bypasses trust dialog. Each vulnerability is a different way to escape the boundaries that make an AI coding tool safe to use.
The Pattern
Claude Code's vulnerability profile is not random. It clusters around a single architectural challenge: containing an agent that needs to read files, write files, execute commands, and access the network — while preventing that same agent from doing exactly those things in the wrong context. Every sandbox escape, every path traversal, every trust dialog bypass is a manifestation of the same tension.
This is not unique to Anthropic. Cursor has its own critical CVEs (CVE-2026-50548 and CVE-2026-50549, both CVSS 9.8). Gemini CLI had a CVSS 10.0. GitHub Copilot has had sandbox boundary failures. The entire category of AI coding tools shares the same fundamental problem: the agent needs elevated access to be useful, but elevated access is elevated risk.
What This Means for Security Teams
Twenty-eight CVEs in one year is not a sign that Claude Code is unusually insecure. It is a sign that AI coding tools represent a new vulnerability class that did not exist before 2024. These tools sit at the intersection of supply chain risk (they process untrusted code), privilege escalation (they execute with developer permissions), and prompt injection (they interpret natural language as instructions). No traditional security tool was designed to address all three simultaneously.
For organizations deploying AI coding assistants, the 28-CVE ledger is data, not a verdict. Anthropic patches quickly — CVE-2026-46406 was fixed within days. But the rate of discovery shows no sign of slowing. Every new feature that makes Claude Code more capable — worktree handling, remote development, plugin systems — adds attack surface that the sandbox must contain. The question is not whether AI coding tools have vulnerabilities. It is whether your security posture accounts for the ones they will have next.


