CVE-2026-39861
Published: 21 April 2026
Description
Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink,…
more
its unsandboxed process followed the symlink and wrote to the target location outside the workspace without prompting the user for confirmation. This allowed a sandbox escape where neither the sandboxed command nor the unsandboxed app could independently write outside the workspace, but their combination could write to arbitrary locations, potentially leading to code execution outside the sandbox. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection. Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to version 2.1.64 or later.
Mitigating Controls (NIST 800-53 r5)AI
SC-39 enforces process isolation in the sandbox to prevent sandboxed processes from creating symlinks pointing to locations outside the workspace.
SI-10 requires validation of untrusted content input to the Claude Code context window to block prompt injection that triggers malicious symlink-creating code.
SI-2 mandates timely flaw remediation through updating to Claude Code version 2.1.64 or later, directly fixing the symlink sandbox escape vulnerability.
Security SummaryAI
CVE-2026-39861 is a critical sandbox escape vulnerability (CVSS 3.1 score of 10.0) affecting Claude Code, an agentic coding tool, in versions prior to 2.1.64. The issue stems from the sandbox failing to prevent sandboxed processes from creating symbolic links (symlinks) that point to locations outside the designated workspace (CWE-22: Path Traversal, CWE-61). When the unsandboxed Claude Code process subsequently writes to a path resolved through such a symlink, it follows the link and writes to arbitrary target locations outside the workspace without user confirmation, bypassing sandbox restrictions.
Exploitation requires an attacker to inject untrusted content into a Claude Code context window, enabling prompt injection to trigger execution of malicious sandboxed code that creates the symlink. Remote attackers with network access (AV:N) can achieve this with low complexity, no privileges, and no user interaction (AC:L/PR:N/UI:N), leading to a scope change (S:C). Successful exploitation allows arbitrary file writes outside the sandbox—neither the sandboxed command nor the unsandboxed app can independently write externally, but their combination enables this—potentially resulting in code execution with the privileges of the unsandboxed process.
The GitHub security advisory (GHSA-vp62-r36r-9xqp) recommends updating to Claude Code version 2.1.64 or later to mitigate the vulnerability. Users on standard auto-update channels have received the fix automatically, while those performing manual updates must apply it explicitly. The vulnerability was published on 2026-04-21.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Matched keywords: claude, claude, claude, claude, prompt injection, claude
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of a client-side coding tool via prompt injection to execute sandboxed code creating symlinks for path traversal, allowing arbitrary file writes outside the sandbox with unsandboxed process privileges, directly facilitating client execution (T1203) and privilege escalation via sandbox escape (T1068).