DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-39861: CVE-2026-39861: Sandbox Escape via Symlink Following in Anthropic Claude Code

#security #cve #cybersecurity

CVE-2026-39861: Sandbox Escape via Symlink Following in Anthropic Claude Code

Vulnerability ID: CVE-2026-39861
CVSS Score: 7.7
Published: 2026-04-21

Claude Code versions prior to 2.1.64 contain a sandbox escape vulnerability due to improper handling of symbolic links. Sandboxed processes can create symlinks pointing outside the designated workspace, which the unsandboxed host process subsequently follows during file write operations. This enables arbitrary file writes on the host system, typically exploited via prompt injection.

TL;DR

A symlink following vulnerability in Claude Code < 2.1.64 allows an attacker to write arbitrary files on the host system. Exploitation requires a prompt injection attack to trick the agent into creating a malicious symlink and writing to it.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-61
  • Attack Vector: Network
  • CVSS Score: 7.7
  • Impact: Arbitrary File Write
  • Exploit Status: Proof of Concept
  • Required Interaction: Passive User Interaction

Affected Systems

  • macOS host systems running Claude Code < 2.1.64
  • Linux host systems running Claude Code < 2.1.64
  • Windows host systems (WSL/native) running Claude Code < 2.1.64
  • claude-code: < 2.1.64 (Fixed in: 2.1.64)

Mitigation Strategies

  • Update @anthropic-ai/claude-code to version 2.1.64 or higher.
  • Enforce strict path canonicalization using realpath before writing files on behalf of untrusted processes.
  • Monitor endpoint execution logs for suspicious symlink creation (ln -s) originating from Claude Code processes.
  • Review untrusted repositories manually before executing agentic tools against their codebase.

Remediation Steps:

  1. Verify current Claude Code version using 'claude --version'.
  2. Execute 'npm install -g @anthropic-ai/claude-code@latest' to apply the update.
  3. Verify the version has successfully updated to 2.1.64 or later.
  4. Audit high-value system files (e.g., ~/.ssh/authorized_keys, ~/.bashrc) for unauthorized modifications if the tool was previously used on untrusted codebases.

References

Read the full report for CVE-2026-39861 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)