CVE-2026-55607
Received Received - Intake

Directory Traversal in Claude Code

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: GitHub, Inc.

Description
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-55607
EUVD
EUVD-2026-40117

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
claude_code claude_code From 2.1.38 (inc) to 2.1.163 (inc)
anthropic claude_code From 2.1.38 (inc) to 2.1.163 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55607 is a high-severity vulnerability in Anthropic's Claude Code versions 2.1.38 to 2.1.162. It involves a sandbox escape caused by Git worktree path confusion, where the tool allowed creation of worktrees named ".git" and navigation outside the sandbox context.

Attackers could exploit this by manipulating symbolic links and leveraging Git fsmonitor execution during worktree operations to overwrite files in the user's home directory, such as the .zshenv file. This leads to code execution outside of the seatbelt sandbox restrictions.

To exploit this vulnerability, a user would need to clone a malicious repository containing prompt injection content and run Claude Code against it. The issue has been fixed in version 2.1.163.

Impact Analysis

This vulnerability can have serious impacts including unauthorized code execution outside of sandbox restrictions, which compromises the security boundaries intended to protect the system.

An attacker exploiting this could overwrite important files in the user's home directory, potentially leading to persistent compromise, loss of confidentiality, integrity, and availability of the affected system.

Mitigation Strategies

To mitigate this vulnerability, immediately update Claude Code to version 2.1.163 or later, as this version contains the fix for the sandbox escape issue.

If you are using auto-updates, ensure they are enabled so that the fix is applied automatically.

For users not using auto-updates, perform a manual update to the patched version to prevent exploitation.

Compliance Impact

The vulnerability in Claude Code allows attackers to execute code outside of sandbox restrictions by overwriting files in the user's home directory, which can impact the confidentiality, integrity, and availability of the system.

Such impacts on system security could potentially lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

However, the provided information does not explicitly mention compliance implications or specific effects on these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55607. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart