Claude Code CVE-2026-39861: Sandbox Escape via Symlink Following

Claude Code versions before 2.1.64 (npm package @anthropic-ai/claude-code) contain a sandbox escape vulnerability tracked as CVE-2026-39861. The issue: the sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code's unsandboxed process later wrote to a path within such a symlink, it followed the link and wrote to the target location without user confirmation.

How the exploit works

The attack combines two components: a sandboxed command that creates a symlink pointing outside the workspace, and the unsandboxed app subsequently writing to a path that traverses that symlink. Neither component alone can write outside the workspace — it's the combination that enables arbitrary file write. Reliably exploiting this requires prompt injection to trigger sandboxed code execution via untrusted content in the Claude Code context window.

Impact and CVSS

Rated High severity with a CVSS v4 base score of 7.7. Attack vector is network, complexity is low, no privileges required, passive user interaction. Confidentiality, integrity, and availability impacts on the vulnerable system are all high.

Affected and patched versions

• Affected: all versions before 2.1.64
• Patched: version 2.1.64 (released April 20, 2026)

Users on standard auto-update have received the fix automatically. Manual updaters should update to the latest version immediately.

What to do

If you're using Claude Code, verify your version with claude --version and update to ≥2.1.64 via npm update @anthropic-ai/claude-code -g or the relevant package manager. Also be aware that this vulnerability can be triggered via prompt injection — treat untrusted context content with caution.