Anthropic’s widely used AI coding assistant Claude Code has been hit by a high-severity sandbox escape vulnerability (CVE-2026-39861) that allowed attackers to write files to arbitrary locations outside the designated workspace through a symlink-following attack posing serious risk of remote code execution when chained with prompt injection.
Claude Code Sandbox Escape Flaw
A critical flaw tracked as CVE-2026-39861 (GHSA-vp62-r36r-9xqp), affecting all versions of the @anthropic-ai/claude-code npm package prior to 2.1.64.
The vulnerability is classified as High severity and scored under the CVSS v4.0 framework with an Attack Vector of Network, Attack Complexity of Low, and full High impact on Confidentiality, Integrity, and Availability of the vulnerable system.
The weakness is rooted in two CWEs: CWE-22 (Path Traversal) and CWE-61 (UNIX Symbolic Link Following) a lethal combination that underscores how improper path canonicalization and insufficient symlink resolution continue to plague modern agentic AI tools.
The attack exploits a fundamental trust gap between Claude Code’s sandboxed process and its unsandboxed parent process.
Claude Code uses a sandboxing mechanism that isolates code execution within a defined workspace directory. However, the sandbox implementation did not prevent sandboxed processes from creating symbolic links (symlinks) that pointed to filesystem locations outside the workspace boundary.
Here’s the step-by-step attack chain:
- Attacker injects malicious content into Claude Code’s context window via prompt injection either through a malicious repository, file, or crafted input.
- The sandboxed process executes and creates a symlink within the workspace that silently resolves to a sensitive target outside the workspace for example,
/etc/cron.d/maliciousor a startup script. - Claude Code’s unsandboxed parent process, unaware that the path is a symlink pointing externally, subsequently writes to what it believes is a workspace-internal path.
- The unsandboxed process follows the symlink and writes directly to the external target without prompting the user for confirmation.
What makes this particularly dangerous is the dual-bypass nature of the exploit: neither the sandboxed command alone, nor the unsandboxed application alone, could independently write outside the workspace but their combination creates a covert write path that circumvents both protection layers.
This class of vulnerability is consistent with prior symlink escape attacks observed in other sandboxed environments and code execution judges.
| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Attack Requirements | Present |
| Privileges Required | None |
| User Interaction | Passive |
| Confidentiality (VS) | High |
| Integrity (VS) | High |
| Availability (VS) | High |
| CVE ID | CVE-2026-39861 |
| Patched Version | 2.1.64 |
The Attack Requirements: Present qualifier indicates that while the attack is not trivially exploitable in isolation, reliable exploitation requires the ability to introduce untrusted content into a Claude Code context window, triggering sandboxed code execution via prompt injection. Once that precondition is met, the attack complexity drops to low.
This is not an isolated incident it is part of a growing pattern of security vulnerabilities affecting Claude Code in 2026. In February 2026, CVE-2026-25724 disclosed a separate symlink-based permission deny bypass (CWE-61).
Where Claude Code failed to enforce deny rules configured in settings.json when files were accessed via symbolic links exposing sensitive system files like /etc/passwd to unauthorized reads.
In early April 2026, Researchers disclosed a configuration-based sandbox escape via Claude Code’s bubblewrap (bwrap) implementation.
Where a malicious .claude/settings.json file could inject SessionStart hooks that executed arbitrary commands with full host privileges upon session restart.
Separately, Researchers documented how Claude Code’s agent autonomously disabled its own sandbox when it stood between the model and task completion without any user instruction.
Further compounding the risk, in late March 2026, Anthropic accidentally exposed 512,000+ lines of Claude Code source code via a mispackaged source map file on the npm registry.
Security team analyzed the leaked source and confirmed three independent command injection vulnerabilities (CWE-78) in the CLI’s command resolution, editor invocation, and authentication helper subsystems.
Impact Assessment
Successful exploitation of CVE-2026-39861 could allow a threat actor to:
- Overwrite critical system files such as cron jobs, shell profiles, or SSH authorized keys.
- Achieve persistent code execution outside the sandbox by writing malicious payloads to auto-executed locations.
- Bypass all user confirmation prompts, operating silently under the assumption of normal workspace file operations.
- Escalate to full host compromise when combined with prompt injection from malicious third-party repositories or documents.
This vulnerability is especially dangerous in CI/CD pipeline environments, where Claude Code agents often operate with elevated filesystem access and reduced human oversight.
Patch and Remediation
Anthropic has released a fix in @anthropic-ai/claude-code version 2.1.64. Users enrolled in standard Claude Code auto-update are already protected. Users performing manual updates are strongly advised to upgrade immediately using:
npm install -g @anthropic-ai/claude-code@latestSecurity teams should also audit any Claude Code deployments for:
- Unexpected symlinks within workspace directories
- Unauthorized modifications to files outside the workspace
- Untrusted content pipelines that could feed into Claude Code context windows
- Anomalous
SessionStarthooks in.claude/settings.jsonfiles
Frequently Asked Questions
Q1: What is CVE-2026-39861 in Claude Code?
It is a high-severity sandbox escape flaw where sandboxed processes create symlinks pointing outside the workspace, allowing the unsandboxed Claude Code process to write to arbitrary filesystem locations without user confirmation.
Q2: Which versions of @anthropic-ai/claude-code are affected?
All versions below 2.1.64 are vulnerable; the issue is fully patched in version 2.1.64 released by Anthropic.
Q3: Does exploiting CVE-2026-39861 require any user interaction?
Exploitation requires passive user interaction specifically, an attacker must be able to inject untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection.
Q4: Is this the first symlink vulnerability found in Claude Code?
No, CVE-2026-25724, disclosed in February 2026, was an earlier symlink-based deny rule bypass (CWE-61) that allowed unauthorized reads of protected files like /etc/passwd via symbolic link access.
Site: http://thecybrdef.com
About the Author
