CVE-2026-55607
Analyzed Analyzed - Analysis Complete

Directory Traversal in Claude Code

Vulnerability report for CVE-2026-55607, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-29

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-30
Generated
2026-07-19
AI Q&A
2026-06-29
EPSS Evaluated
2026-07-18
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
anthropic claude_code From 2.1.38 (inc) to 2.1.163 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55607 is a high-severity vulnerability in Anthropic's Claude Code versions 2.1.38 to 2.1.162. It involves a sandbox escape caused by Git worktree path confusion, where the tool allowed creation of worktrees named ".git" and navigation outside the sandbox context.

Attackers could exploit this by manipulating symbolic links and leveraging Git fsmonitor execution during worktree operations to overwrite files in the user's home directory, such as the .zshenv file. This leads to code execution outside of the seatbelt sandbox restrictions.

To exploit this vulnerability, a user would need to clone a malicious repository containing prompt injection content and run Claude Code against it. The issue has been fixed in version 2.1.163.

Detection Guidance

Detection of this vulnerability involves identifying if a vulnerable version of Claude Code (versions 2.1.38 to 2.1.162) is installed and if any malicious repositories with crafted worktrees named ".git" or symlink manipulations have been cloned or executed.

You can check the installed version of Claude Code by running a command like:

  • npm list @anthropic-ai/claude-code

or if installed globally:

  • npm list -g @anthropic-ai/claude-code

To detect suspicious worktrees or symlink manipulations, you can search for unexpected ".git" directories or symlinks outside expected repository locations, for example:

  • find /path/to/scan -type d -name ".git"
  • find /path/to/scan -type l -ls

Additionally, monitoring for unexpected modifications to files in the user's home directory such as ".zshenv" may indicate exploitation attempts:

  • ls -l ~/.zshenv
  • stat ~/.zshenv

Since exploitation requires running Claude Code against a malicious repository, reviewing recent repository clones and executions of Claude Code may help identify suspicious activity.

Impact Analysis

This vulnerability can have serious impacts including unauthorized code execution outside of sandbox restrictions, which compromises the security boundaries intended to protect the system.

An attacker exploiting this could overwrite important files in the user's home directory, potentially leading to persistent compromise, loss of confidentiality, integrity, and availability of the affected system.

Compliance Impact

The vulnerability in Claude Code allows attackers to execute code outside of sandbox restrictions by overwriting files in the user's home directory, which can impact the confidentiality, integrity, and availability of the system.

Such impacts on system security could potentially lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

However, the provided information does not explicitly mention compliance implications or specific effects on these regulations.

Mitigation Strategies

To mitigate this vulnerability, immediately update Claude Code to version 2.1.163 or later, as this version contains the fix for the sandbox escape issue.

If you are using auto-updates, ensure they are enabled so that the fix is applied automatically.

For users not using auto-updates, perform a manual update to the patched version to prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55607. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart