Description
Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.
Published: 2026-02-06
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox Escape – privileged execution
Action: Apply Patch
AI Analysis

Impact

Claude Code uses a bubblewrap sandbox to isolate its execution. When the settings.json file does not exist at startup, the sandbox incorrectly allows writable access to the parent directory. Malicious code running inside the sandbox can create or modify that file and insert persistent hooks, such as SessionStart commands, that will run with host privileges when Claude Code restarts. The flaw, identified as CWE‑501 and CWE‑668, enables a form of privilege escalation that can compromise the host system.

Affected Systems

Versions of Anthropics Claude Code before 2.1.2 are affected. The issue occurs when .claude/settings.json is missing during startup; newer releases mount the file as read‑only and are unaffected. The vulnerability applies to all operating environments where Claude Code is installed locally.

Risk and Exploitability

The CVSS base score of 7.7 places this vulnerability in the high severity range, while the EPSS score of less than 1% indicates a low current exploitation probability. The flaw is not listed in CISA’s KEV catalog. Exploitation requires the ability to run code inside the sandbox, which is typically possible after the sandbox has been compromised or during normal operation of Claude Code. Once the file is created, the attacker gains host privilege execution each time the host restarts.

Generated by OpenCVE AI on April 17, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Claude Code 2.1.2 or later.
  • If an immediate upgrade is not possible, delete any existing .claude/settings.json file and configure the application to avoid writing persistent hooks; ensure the file is not writable by the sandbox.
  • Regularly audit the .claude directory for unexpected configuration files or modifications.

Generated by OpenCVE AI on April 17, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ff64-7w26-62rf Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json
History

Mon, 09 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Code
CPEs cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*
Vendors & Products Anthropic
Anthropic claude Code
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics claude Code
Vendors & Products Anthropics
Anthropics claude Code

Fri, 06 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.
Title Claude Code Has Sandbox Escape via Persistent Configuration Injection in settings.json
Weaknesses CWE-501
CWE-668
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Code
Anthropics Claude Code
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T19:15:02.998Z

Reserved: 2026-02-05T16:48:00.426Z

Link: CVE-2026-25725

cve-icon Vulnrichment

Updated: 2026-02-06T19:14:58.348Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T18:16:00.187

Modified: 2026-02-09T14:46:12.660

Link: CVE-2026-25725

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses