When Two Safe Components Combine Into One Unsafe System
CVE-2026-39861 is a sandbox escape in Anthropic's Claude Code, the AI-powered coding assistant that runs commands on the user's machine. The vulnerability earned the maximum CVSS score of 10.0 — not because either the sandbox or the main process was individually broken, but because their interaction created a gap neither was designed to handle.
The sandboxed process could not write outside the workspace. The unsandboxed Claude Code process could write anywhere, but only to paths the user approved. A symlink created inside the sandbox — pointing to a location outside the workspace — connected the two: the sandbox created the pointer, and the unsandboxed process followed it, writing to the target without ever asking the user.
The Attack Path
Exploitation required injecting untrusted content into Claude Code's context window — a prompt injection attack. A malicious instruction embedded in a repository file, a cloned project, or a pasted code snippet could direct Claude Code to create a symbolic link inside the workspace pointing to a sensitive external location: ~/.bashrc, ~/.ssh/authorized_keys, /etc/cron.d/, or any other path that enables code execution on the host.
When Claude Code subsequently wrote to what it believed was a file inside the workspace, the operating system followed the symlink and delivered the write to the external target. The user received no confirmation prompt. From the application's perspective, the write was to a workspace path — the symlink redirection happened at the filesystem level, below the application's visibility.
AI Coding Tools as Attack Surface
This vulnerability is a concrete example of a pattern WebPulse tracks across the AI tooling landscape: AI-powered development tools that execute code on the user's machine inherit every filesystem, network, and privilege assumption of that machine. Their sandbox is the security boundary — and sandbox escapes in these tools have a different blast radius than sandbox escapes in, say, a browser tab.
A browser sandbox escape gives an attacker access to the user's system. A coding tool sandbox escape gives an attacker access to a system that is already configured for development: with SSH keys, cloud credentials, API tokens, and deployment pipelines within reach. The post-exploitation environment is pre-loaded with the exact assets an attacker needs to move laterally into production infrastructure.
The Fix
Anthropic patched the vulnerability in Claude Code v2.1.64 by adding symlink resolution checks before file operations. The fix ensures that the final target of any write operation is validated against the workspace boundary, regardless of whether the path contains symbolic links. Users on Claude Code's default auto-update mechanism received the patch without manual intervention.
The advisory was published on April 20, 2026, with coordinated disclosure through GitHub Security Advisories (GHSA-vp62-r36r-9xqp). Anthropic credited the discovery to external security researchers through its vulnerability disclosure program.
What This Means for Organizations Using AI Coding Tools
If your engineering teams use Claude Code, verify that installations are running v2.1.64 or later. If your organization runs manual update policies for developer tools, this CVE is a case study in why auto-update for security-sensitive tooling reduces the window of exposure. The vulnerability was exploitable through prompt injection — meaning the attack vector was the content developers work with daily: code repositories, documentation, and shared snippets. No special access to the developer's machine was required beyond getting malicious content into the tool's input.


