Skip to content
The AI-First Web

Claude Code's Sandbox Had a Blind Spot: Symlinks That Crossed the Wall

CVE-2026-39861 (CVSS 10.0): a symlink created inside the sandbox could point outside the workspace. When Claude Code's unsandboxed process followed it, arbitrary file writes landed anywhere on the host. Neither component could escape alone — their combination could.

· 4 min read
Share on X LinkedIn
Claude Code's Sandbox Had a Blind Spot: Symlinks That Crossed the Wall

When Two Safe Components Combine Into One Unsafe System

CVE-2026-39861 is a sandbox escape in Anthropic's Claude Code, the AI-powered coding assistant that runs commands on the user's machine. The vulnerability earned the maximum CVSS score of 10.0 — not because either the sandbox or the main process was individually broken, but because their interaction created a gap neither was designed to handle.

The sandboxed process could not write outside the workspace. The unsandboxed Claude Code process could write anywhere, but only to paths the user approved. A symlink created inside the sandbox — pointing to a location outside the workspace — connected the two: the sandbox created the pointer, and the unsandboxed process followed it, writing to the target without ever asking the user.

10.0 Critical
CVSS Score
CWE-22 (Path Traversal), CWE-61 (Symlink Following) — sandbox escape via composition of two individually safe components.

The Attack Path

Exploitation required injecting untrusted content into Claude Code's context window — a prompt injection attack. A malicious instruction embedded in a repository file, a cloned project, or a pasted code snippet could direct Claude Code to create a symbolic link inside the workspace pointing to a sensitive external location: ~/.bashrc, ~/.ssh/authorized_keys, /etc/cron.d/, or any other path that enables code execution on the host.

When Claude Code subsequently wrote to what it believed was a file inside the workspace, the operating system followed the symlink and delivered the write to the external target. The user received no confirmation prompt. From the application's perspective, the write was to a workspace path — the symlink redirection happened at the filesystem level, below the application's visibility.

@anthropic-ai/claude-code before v2.1.64
Affected Versions
All versions prior to the April 2026 patch. Users on auto-update received the fix automatically.

AI Coding Tools as Attack Surface

This vulnerability is a concrete example of a pattern WebPulse tracks across the AI tooling landscape: AI-powered development tools that execute code on the user's machine inherit every filesystem, network, and privilege assumption of that machine. Their sandbox is the security boundary — and sandbox escapes in these tools have a different blast radius than sandbox escapes in, say, a browser tab.

A browser sandbox escape gives an attacker access to the user's system. A coding tool sandbox escape gives an attacker access to a system that is already configured for development: with SSH keys, cloud credentials, API tokens, and deployment pipelines within reach. The post-exploitation environment is pre-loaded with the exact assets an attacker needs to move laterally into production infrastructure.

The Fix

Anthropic patched the vulnerability in Claude Code v2.1.64 by adding symlink resolution checks before file operations. The fix ensures that the final target of any write operation is validated against the workspace boundary, regardless of whether the path contains symbolic links. Users on Claude Code's default auto-update mechanism received the patch without manual intervention.

The advisory was published on April 20, 2026, with coordinated disclosure through GitHub Security Advisories (GHSA-vp62-r36r-9xqp). Anthropic credited the discovery to external security researchers through its vulnerability disclosure program.

What This Means for Organizations Using AI Coding Tools

If your engineering teams use Claude Code, verify that installations are running v2.1.64 or later. If your organization runs manual update policies for developer tools, this CVE is a case study in why auto-update for security-sensitive tooling reduces the window of exposure. The vulnerability was exploitable through prompt injection — meaning the attack vector was the content developers work with daily: code repositories, documentation, and shared snippets. No special access to the developer's machine was required beyond getting malicious content into the tool's input.

CVEs in this analysis
CVE-2026-39861
Share this insight