CVE-2026-39861 is a sandbox escape in Claude Code, patched in version 2.1.64. The vulnerability allows file writes to land outside the workspace directory by exploiting symbolic link following across two Claude Code processes. Reported by security researcher philts via HackerOne, tracked as GHSA-vp62-r36r-9xqp. If you use Claude Code below 2.1.64, update immediately.
The Mechanism
Claude Code sandboxes write operations to the current workspace directory. CVE-2026-39861 bypasses this using two processes:
A sandboxed process creates a symbolic link inside the workspace. The symlink points outside the workspace boundary. Creating a symlink inside the workspace is permitted, so the sandbox allows it.
A separate, unsandboxed process writes through that symlink. It does not re-validate the resolved path. It sees a path inside the workspace and writes to it. The write lands at the symlink's target, outside the sandbox.
The root cause: the sandbox checks the declared path at creation time but not at resolution time. TOCTOU-adjacent pattern. The filesystem state changes between validation and use.
Who Is Affected
Anyone running Claude Code below 2.1.64. Auto-update (the default) delivers the patch automatically. Enterprise environments that pin versions need to apply the update explicitly.
How to Check Your Installation
Step 1: Run claude --version. Below 2.1.64 = affected.
Step 2: Confirm auto-update is enabled. If your org disables it for controlled rollouts, confirm the update has been applied.
Step 3: If you suspect exploitation, check for unexpected symlinks pointing outside the workspace:
find /path/to/your/workspace -type l -exec ls -la {} \;
Look for symlinks targeting system directories, home directory config files, or anything outside the project tree.
Step 4: If your environment captures Claude Code sandbox logs, review for path resolution events where declared path and resolved path differ. A write where the resolved path falls outside the workspace boundary is the signature.
The Broader Pattern
This is the sixth Claude Code advisory in the current review period. The previous five: argument injection, domain verification bypass, credential theft via prompt injection, command injection through the prompt editor, hook injection via CBSE. Six advisories, six distinct attack classes, multiple independent researchers.
The pattern reflects a structural property of agentic execution models: tools that combine user-level filesystem access with agent-driven autonomous execution present a recurring attack surface. Staying current on versions is baseline hygiene.
How Armor1 Tracks This
Armor1's Client Catalog scores Claude Code across 16 risk categories. Two map directly to this CVE:
Sandbox Isolation measures whether write operations stay confined to the declared workspace. The symlink-following escape is the class of violation this category covers.
Supply Chain and Update Posture distinguishes installations below 2.1.64 from patched ones. Teams can identify unpatched Claude Code instances across their developer fleet without manual version audits.
Two things you can do right now, both free:
See the risk of any MCP server in your environment in Armor1's public catalog
Cover your entire agentic stack (every app, MCP, tool, skill, and plugin) by signing up free Here
Top comments (0)