Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55607

CVE-2026-55607: Anthropic Claude Code RCE Vulnerability

CVE-2026-55607 is a remote code execution flaw in Anthropic Claude Code that allows attackers to escape sandbox restrictions and execute arbitrary code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-55607 Overview

CVE-2026-55607 affects Anthropic Claude Code, an agentic coding tool. The vulnerability exists in versions 2.1.38 through 2.1.162 and stems from improper worktree handling that permits creation of worktrees named .git and navigation to worktrees outside the sandbox context. Attackers exploit symlink manipulation combined with git fsmonitor execution during worktree operations to overwrite files in the user's home directory, such as .zshenv. Successful exploitation results in code execution outside the seatbelt sandbox restrictions on macOS. The issue is fixed in version 2.1.163.

Critical Impact

A malicious repository combined with prompt injection content can trigger arbitrary code execution outside Claude Code's sandbox, compromising the developer's host environment.

Affected Products

  • Anthropic Claude Code versions 2.1.38 through 2.1.162 (Node.js)
  • Systems relying on Claude Code's seatbelt sandbox for isolation
  • Developer workstations cloning untrusted repositories via Claude Code

Discovery Timeline

  • 2026-06-29 - CVE-2026-55607 published to NVD
  • 2026-06-30 - Last updated in NVD database

Technical Details for CVE-2026-55607

Vulnerability Analysis

The flaw is a path traversal issue [CWE-22] within Claude Code's git worktree handling logic. Claude Code allowed users to create worktrees whose directory name was .git, which git tooling interprets as a real git directory rather than a working tree. This confusion enables an attacker to redirect git operations against attacker-controlled metadata. Because Claude Code also permits navigation to worktrees located outside its sandbox root, the tool operates on paths the seatbelt profile was designed to exclude.

During normal worktree operations, git invokes fsmonitor, a configurable hook that executes an external command to enumerate changed files. When the worktree layout is manipulated, the fsmonitor command runs with the user's privileges, outside the sandbox. Combined with symlink placement, the attacker can force file writes into the user's home directory.

Root Cause

The root cause is insufficient validation of worktree names and target paths. Claude Code did not reject worktree names that collide with git-reserved directory names such as .git, and it did not confine worktree targets to the approved sandbox boundary. Symlinks were followed without canonicalization checks, permitting redirection to arbitrary filesystem locations.

Attack Vector

Exploitation requires the victim to clone a malicious repository and run Claude Code against it. The repository contains prompt injection content that steers the agent into performing the worktree operations required to trigger the bug. Once Claude Code executes a worktree command against the attacker-crafted structure, git's fsmonitor runs an attacker-controlled command or writes to files such as ~/.zshenv. On next shell invocation, the payload in .zshenv executes with full user privileges, bypassing the seatbelt sandbox entirely.

Refer to the GitHub Security Advisory GHSA-7835-87q9-rgvv for the vendor's technical description.

Detection Methods for CVE-2026-55607

Indicators of Compromise

  • Unexpected modifications to shell startup files such as ~/.zshenv, ~/.zshrc, or ~/.bashrc following a Claude Code session
  • Presence of git worktrees named .git under repositories opened by Claude Code
  • Symlinks inside cloned repositories pointing outside the repository root or into $HOME
  • Execution of unexpected binaries as child processes of git invoked by the claude process

Detection Strategies

  • Audit process ancestry for git children spawned by Claude Code that execute shells, interpreters, or write to home directory paths
  • Alert on writes to shell rc files whose parent process chain includes node running Claude Code
  • Scan cloned repositories for symlinks whose canonical target resolves outside the repository tree before agent execution

Monitoring Recommendations

  • Enable file integrity monitoring on developer workstation dotfiles including .zshenv, .zprofile, and .bash_profile
  • Log git config reads and writes referencing core.fsmonitor and correlate with Claude Code sessions
  • Capture command line telemetry for git worktree add operations and flag names containing .git

How to Mitigate CVE-2026-55607

Immediate Actions Required

  • Upgrade Claude Code to version 2.1.163 or later on every developer workstation
  • Inventory endpoints running vulnerable versions (2.1.38 through 2.1.162) using software asset data
  • Review recent Claude Code sessions against untrusted repositories and inspect user home directories for tampered shell startup files

Patch Information

Anthropic fixed the issue in Claude Code 2.1.163. Details are published in the GitHub Security Advisory GHSA-7835-87q9-rgvv. Upgrading is the only supported remediation.

Workarounds

  • Do not run Claude Code against untrusted or unreviewed repositories until patched
  • Restrict Claude Code execution to dedicated non-privileged accounts or ephemeral containers with read-only home directories
  • Disable core.fsmonitor globally on workstations that must run vulnerable versions temporarily
bash
# Verify installed version and upgrade
claude --version
npm install -g @anthropic-ai/claude-code@2.1.163

# Temporary hardening: disable fsmonitor globally
git config --global core.fsmonitor false

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.