Description
Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace without prompting the user for confirmation. This allowed a sandbox escape where neither the sandboxed command nor the unsandboxed app could independently write outside the workspace, but their combination could write to arbitrary locations, potentially leading to code execution outside the sandbox. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection. Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to version 2.1.64 or later.
Published: 2026-04-21
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox escape permitting arbitrary file writes outside the workspace
Action: Immediate update
AI Analysis

Impact

Prior to version 2.1.64, Claude Code’s sandbox allowed the creation of symbolic links that pointed to locations beyond the workspace. When the sandboxed code later wrote to a path within such a link, the unsandboxed component followed the link and wrote to the external target. This combination enabled an attacker to escape the sandbox and overwrite files outside the designated area, potentially leading to code execution beyond the intended boundary.

Affected Systems

Anthropic’s Claude Code. Versions earlier than 2.1.64 are affected; users with automatic updates have received the fix, while users performing manual updates must install version 2.1.64 or later.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity. The EPSS score is < 1%, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to inject untrusted content into a Claude Code context window to trigger sandboxed execution that creates a malicious symlink, after which the unsandboxed process performs the file write. The combination of sandboxed and unsandboxed operations is necessary for the attack path.

Generated by OpenCVE AI on April 21, 2026 at 23:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that automatic updates are enabled so the latest fix is installed.
  • If you perform manual updates, upgrade to version 2.1.64 or later immediately.
  • Review and limit untrusted input in Claude Code context windows to prevent prompt injection that could create malicious symlinks.

Generated by OpenCVE AI on April 21, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vp62-r36r-9xqp Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace
History

Thu, 23 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Code
CPEs cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*
Vendors & Products Anthropic
Anthropic claude Code
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics claude Code
Vendors & Products Anthropics
Anthropics claude Code

Tue, 21 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace without prompting the user for confirmation. This allowed a sandbox escape where neither the sandboxed command nor the unsandboxed app could independently write outside the workspace, but their combination could write to arbitrary locations, potentially leading to code execution outside the sandbox. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection. Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to version 2.1.64 or later.
Title Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace
Weaknesses CWE-22
CWE-61
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Code
Anthropics Claude Code
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T13:44:49.618Z

Reserved: 2026-04-07T19:13:20.379Z

Link: CVE-2026-39861

cve-icon Vulnrichment

Updated: 2026-04-21T13:44:44.769Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T01:16:06.647

Modified: 2026-04-23T18:36:24.017

Link: CVE-2026-39861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:15:03Z

Weaknesses