CVE-2026-39861 Overview
CVE-2026-39861 is a sandbox escape vulnerability in Anthropic Claude Code, an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox implementation failed to prevent sandboxed processes from creating symbolic links pointing to locations outside the workspace directory. When Claude Code subsequently attempted to write to a path within such a symlink, its unsandboxed process would follow the symlink and write to the target location outside the workspace without prompting the user for confirmation.
This vulnerability represents a classic symlink attack (CWE-22: Path Traversal) where neither the sandboxed command nor the unsandboxed application could independently write outside the workspace, but their combination could achieve arbitrary file writes to locations outside the intended sandbox boundary—potentially leading to code execution outside the sandbox environment.
Critical Impact
Successful exploitation allows attackers to escape the Claude Code sandbox and write arbitrary files to locations outside the workspace, potentially achieving code execution on the host system through prompt injection attacks.
Affected Products
- Anthropic Claude Code versions prior to 2.1.64
- Claude Code for Node.js (all platforms)
Discovery Timeline
- 2026-04-21 - CVE-2026-39861 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-39861
Vulnerability Analysis
The vulnerability stems from an incomplete sandbox isolation mechanism in Claude Code. The sandbox was designed to restrict file system operations to within the designated workspace directory. However, the implementation failed to account for symbolic link creation, which allowed sandboxed processes to create symlinks pointing to arbitrary locations on the file system.
The attack chain requires prompt injection to trigger the vulnerability. An attacker would need to inject malicious content into a Claude Code context window, which would then instruct the sandboxed environment to create a symlink within the workspace pointing to a sensitive location outside of it (such as ~/.bashrc, /etc/cron.d/, or other locations that could enable code execution). When Claude Code's unsandboxed process later performs a legitimate write operation targeting what appears to be a path within the workspace, it follows the symlink and writes to the external target location.
This represents a time-of-check time-of-use (TOCTOU) style vulnerability combined with improper symlink handling, where the security boundary between sandboxed and unsandboxed operations was not consistently enforced.
Root Cause
The root cause is the failure to validate or restrict symbolic link creation within the sandboxed environment. The sandbox implementation did not include symlink creation in its restricted operations list, creating a gap where:
- Sandboxed processes could create symlinks pointing outside the workspace
- The unsandboxed parent process followed symlinks without validating their targets
- No user confirmation was required when writes traversed symlink boundaries
This architectural oversight allowed the combination of sandboxed and unsandboxed operations to bypass the intended security boundary.
Attack Vector
Exploitation requires network-based access to inject untrusted content into a Claude Code context window. The attack vector involves:
- Prompt Injection: Attacker injects malicious instructions into content that Claude Code processes (e.g., through a malicious repository, file, or web content)
- Symlink Creation: The injected instructions cause the sandboxed process to create a symlink within the workspace pointing to a sensitive external location
- Sandbox Escape: When Claude Code's unsandboxed process writes to the symlink path, the write operation follows the symlink and modifies files outside the workspace
- Code Execution: By targeting startup scripts, cron jobs, or other executable locations, attackers can achieve persistent code execution
The vulnerability requires user interaction in that the user must process content containing the prompt injection payload through Claude Code.
Detection Methods for CVE-2026-39861
Indicators of Compromise
- Unexpected symbolic links within Claude Code workspace directories pointing to locations outside the workspace
- Modifications to user startup files (.bashrc, .zshrc, .profile) not initiated by the user
- New or modified cron jobs or scheduled tasks created around the time Claude Code was in use
- Suspicious file writes to system directories coinciding with Claude Code activity
Detection Strategies
- Monitor for symlink creation events within Claude Code workspace directories using file system auditing
- Implement behavioral detection for processes that create symlinks followed by writes to paths resolving outside workspace boundaries
- Audit Claude Code process activity for file operations targeting sensitive system locations
- Review process trees for Claude Code to identify unexpected child processes or file operations
Monitoring Recommendations
- Enable file integrity monitoring on critical system files and directories
- Configure logging for symlink creation events in user workspace directories
- Monitor for writes to common persistence locations (.bashrc, cron directories, startup folders) from Node.js processes
- Implement alerts for Claude Code processes accessing paths outside their designated workspace
How to Mitigate CVE-2026-39861
Immediate Actions Required
- Update Claude Code to version 2.1.64 or later immediately
- Users on standard Claude Code auto-update should verify they have received the fix automatically
- Review workspace directories for any suspicious symlinks pointing outside the workspace
- Audit recent file system changes for any signs of exploitation
Patch Information
Anthropic has released version 2.1.64 of Claude Code which addresses this vulnerability. Users performing manual updates should update to this version or later. Users on the standard auto-update mechanism have received this fix automatically.
For detailed patch information, refer to the GitHub Security Advisory GHSA-vp62-r36r-9xqp.
Workarounds
- Limit Claude Code usage to processing only trusted content until the update is applied
- Avoid processing content from untrusted sources (unknown repositories, web content, or files of unknown origin)
- Monitor and audit symlink creation within Claude Code workspaces as an interim detection measure
- Consider running Claude Code in an isolated environment (container or VM) to limit the impact of potential sandbox escapes
# Verify Claude Code version
claude --version
# Check for suspicious symlinks in workspace
find /path/to/workspace -type l -exec ls -la {} \; 2>/dev/null | grep -v "^l.*-> /path/to/workspace"
# Update Claude Code (if using npm)
npm update @anthropic/claude-code
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
