Detections
Analytics
Claude Code Settings File Detected
medium Web App Scanning Plugin ID 115146
Language:
Synopsis
Claude Code Settings File DetectedDescription
Claude Code is an agentic coding tool developed by Anthropic that operates directly in the terminal. It uses configuration files named settings.json or settings.local.json to store its settings, including API keys, model preferences, and custom permissions.If an attacker can access these settings files, they may be able to gather sensitive information such as API keys, allowed tools, MCP server configurations, and other security-sensitive settings.
Solution
Ensure that the configuration file is not deployed with the application or, at least, is not exposed in a web server directory by setting proper permissions on it.See Also
Plugin Details
Severity: Medium
ID: 115146
Type: remote
Family: Artificial Intelligence
Published: 2/17/2026
Updated: 2/17/2026
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Low
Score: 1.4
CVSS v2
Risk Factor: Medium
Base Score: 5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Medium
Base Score: 5.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score Source: Tenable
CVSS v4
Risk Factor: Medium
Base Score: 6.9
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score Source: Tenable
Reference Information
CWE: 538
OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1, 2025-A1
WASC: Predictable Resource Location
CAPEC: 95
DISA STIG: APSC-DV-002480
HIPAA: 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3
OWASP API: 2019-API7, 2023-API8
PCI-DSS: 3.2-2.2