Nixpkgs security tracker

Untriaged

Permalink CVE-2026-44467

7.4 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Adjacent (A)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): Passive (P)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): High (H)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Adjacent (A)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Passive (P)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): High (H)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 1 week, 5 days ago Activity log

Created suggestion 1 week, 5 days ago

Claude Desktop: SSH Host Key Verification Bypass Allows Man-in-the-Middle Attack on Remote Sessions

The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname existed in ~/.ssh/known_hosts without comparing the server's presented host key against the stored key. This allowed a network-positioned attacker to present an arbitrary SSH host key and have the connection silently accepted, enabling a man-in-the-middle attack on remote development sessions. Successful exploitation required the attacker to be in a network position to intercept SSH traffic (e.g., via ARP spoofing, rogue Wi-Fi, or DNS poisoning) and the target hostname to already have an entry in the victim's known_hosts file. This vulnerability is fixed in 1.4304.0.

References

https://github.com/anthropics/claude-code/security/advisories/GHSA-3rwf-2g6p-c2f9 x_refsource_CONFIRM

Affected products

claude-code

==>= 1.2581.0, < 1.4304.0

Matching in nixpkgs

pkgs.claude-code

Agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster

nixos-unstable 2.1.137
- nixpkgs-unstable 2.1.137
- nixos-unstable-small 2.1.138
nixos-25.11 2.1.81
- nixos-25.11-small 2.1.81
- nixpkgs-25.11-darwin 2.1.81

pkgs.claude-code-acp

ACP-compatible coding agent powered by the Claude Code SDK

nixos-25.11 0.10.6
- nixos-25.11-small 0.10.6
- nixpkgs-25.11-darwin 0.10.6

pkgs.claude-code-bin

Agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster

nixos-unstable 2.1.137
- nixpkgs-unstable 2.1.137
- nixos-unstable-small 2.1.138
nixos-25.11 2.1.81
- nixos-25.11-small 2.1.81
- nixpkgs-25.11-darwin 2.1.81

pkgs.claude-code-router

Tool to route Claude Code requests to different models and customize any request

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 1.0.64
- nixos-25.11-small 1.0.64
- nixpkgs-25.11-darwin 1.0.64

pkgs.gnomeExtensions.claude-code-usage

Display Claude Code usage in the top panel. This extension uses anthropic.com services. This extension is not affiliated, funded, or in any way associated with Claude.

nixos-unstable 4
- nixpkgs-unstable 4
- nixos-unstable-small 4

pkgs.gnomeExtensions.claude-code-switcher

A GNOME shell extension for quickly switching Claude Code API providers with enhanced performance and reliability.

nixos-unstable 13
- nixpkgs-unstable 13
- nixos-unstable-small 13
nixos-25.11 13
- nixos-25.11-small 13
- nixpkgs-25.11-darwin 13

pkgs.vscode-extensions.anthropic.claude-code

Harness the power of Claude Code without leaving your IDE

nixos-unstable 2.1.133
- nixpkgs-unstable 2.1.133
- nixos-unstable-small 2.1.138
nixos-25.11 2.1.81
- nixos-25.11-small 2.1.81
- nixpkgs-25.11-darwin 2.1.81

pkgs.gnomeExtensions.claude-code-usage-indicator

Shows remaining time and usage percentage for Claude Code sessions in the top panel. Displays format like '3h 12m (30%)' showing both time remaining and percentage consumed. Automatically refreshes every 5 minutes.

nixos-unstable 3
- nixpkgs-unstable 3
- nixos-unstable-small 3
nixos-25.11 3
- nixos-25.11-small 3
- nixpkgs-25.11-darwin 3

Package maintainers

@adeci Alex Decious <alex.decious@gmail.com>
@mirkolenz Mirko Lenz <mirko@mirkolenz.com>
@markus1189 Markus Hauck <markus1189@gmail.com>
@xiaoxiangmoe ZHAO JinXiang <xiaoxiangmoe@gmail.com>
@omarjatoi Omar Jatoi
@malob Malo Bourgon <mbourgon@gmail.com>
@oskarwires Oskar <me@usbcable.io>
@Prince213 Sizhe Zhao <prc.zhao@outlook.com>
@honnip Jung seungwoo <me@honnip.page>
@storopoli Jose Storopoli <jose@storopoli.com>

Suggestion detail