CVE-2026-39861
Received Received - Intake
Sandbox Escape via Symlink Manipulation in Claude Code Before

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace without prompting the user for confirmation. This allowed a sandbox escape where neither the sandboxed command nor the unsandboxed app could independently write outside the workspace, but their combination could write to arbitrary locations, potentially leading to code execution outside the sandbox. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection. Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to version 2.1.64 or later.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39861
EUVD
EUVD-2026-24033
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
anthropic claude_code to 2.1.64 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not explicitly address how CVE-2026-39861 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-39861 is a high-severity sandbox escape vulnerability in the Claude Code agentic coding tool prior to version 2.1.64. The issue arises because the sandbox did not prevent sandboxed processes from creating symbolic links (symlinks) that point outside the intended workspace. When Claude Code later wrote to a path within such a symlink, the unsandboxed process followed the symlink and wrote to the target location outside the workspace without user confirmation.

This vulnerability occurs due to the combination of two conditions: the sandboxed command alone cannot write outside the workspace, and the unsandboxed application alone cannot write outside the workspace, but together they enable writing to arbitrary file system locations. Exploiting this requires injecting untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection.

Impact Analysis

This vulnerability can allow an attacker to write files arbitrarily outside the sandboxed workspace, potentially leading to code execution outside the sandbox environment. This means an attacker could execute unauthorized code on your system, compromising the confidentiality, integrity, and availability of your data within the vulnerable system.

The attack can be performed remotely without requiring special privileges, although it requires some user interaction through injecting untrusted content. The impact is rated high severity with a CVSS v4 base score of 7.7.

Detection Guidance

Detection of this vulnerability involves identifying whether your Claude Code installation is a version prior to 2.1.64, as the vulnerability exists only in those versions.

You can check the installed version of Claude Code by running a command to display the package version, for example:

  • npm list @anthropic-ai/claude-code
  • or if installed globally:
  • npm list -g @anthropic-ai/claude-code

Additionally, to detect exploitation attempts, you can monitor for creation of symbolic links within the Claude Code workspace that point outside the workspace directory. For example, using the find command to locate symlinks pointing outside the workspace path:

  • find /path/to/claude-code/workspace -type l -exec bash -c 'target=$(readlink -f "$0"); [[ "$target" != /path/to/claude-code/workspace/* ]] && echo "$0 -> $target"' {} \;

This command finds symlinks inside the workspace that resolve to locations outside it, which is the core of the vulnerability.

Mitigation Strategies

The primary and immediate mitigation step is to update Claude Code to version 2.1.64 or later, as this version contains the fix for the vulnerability.

Users who have automatic updates enabled have already received this fix. Users who manually update should perform the upgrade as soon as possible.

Until the update is applied, avoid adding untrusted content into Claude Code context windows, as exploitation requires injecting untrusted content to trigger sandboxed code execution.

Additionally, monitor and restrict the creation of symbolic links within the workspace that point outside the workspace directory to reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39861. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart