CVE-2026-39861
Sandbox Escape via Symlink Manipulation in Claude Code Before
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anthropic | claude_code | to 2.1.64 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39861 is a high-severity sandbox escape vulnerability in the Claude Code agentic coding tool prior to version 2.1.64. The issue arises because the sandbox did not prevent sandboxed processes from creating symbolic links (symlinks) that point outside the intended workspace. When Claude Code later wrote to a path within such a symlink, the unsandboxed process followed the symlink and wrote to the target location outside the workspace without user confirmation.
This vulnerability occurs due to the combination of two conditions: the sandboxed command alone cannot write outside the workspace, and the unsandboxed application alone cannot write outside the workspace, but together they enable writing to arbitrary file system locations. Exploiting this requires injecting untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly address how CVE-2026-39861 affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to write files arbitrarily outside the sandboxed workspace, potentially leading to code execution outside the sandbox environment. This means an attacker could execute unauthorized code on your system, compromising the confidentiality, integrity, and availability of your data within the vulnerable system.
The attack can be performed remotely without requiring special privileges, although it requires some user interaction through injecting untrusted content. The impact is rated high severity with a CVSS v4 base score of 7.7.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying whether your Claude Code installation is a version prior to 2.1.64, as the vulnerability exists only in those versions.
You can check the installed version of Claude Code by running a command to display the package version, for example:
- npm list @anthropic-ai/claude-code
- or if installed globally:
- npm list -g @anthropic-ai/claude-code
Additionally, to detect exploitation attempts, you can monitor for creation of symbolic links within the Claude Code workspace that point outside the workspace directory. For example, using the find command to locate symlinks pointing outside the workspace path:
- find /path/to/claude-code/workspace -type l -exec bash -c 'target=$(readlink -f "$0"); [[ "$target" != /path/to/claude-code/workspace/* ]] && echo "$0 -> $target"' {} \;
This command finds symlinks inside the workspace that resolve to locations outside it, which is the core of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update Claude Code to version 2.1.64 or later, as this version contains the fix for the vulnerability.
Users who have automatic updates enabled have already received this fix. Users who manually update should perform the upgrade as soon as possible.
Until the update is applied, avoid adding untrusted content into Claude Code context windows, as exploitation requires injecting untrusted content to trigger sandboxed code execution.
Additionally, monitor and restrict the creation of symbolic links within the workspace that point outside the workspace directory to reduce risk.