CVE-2026-55607 - Vulnerability Details

- Claude Code: Sandbox Escape via Git Worktree Path Confusion Allows Unsandboxed Code Execution

Description

Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163.

Published: 2026-06-29

Score: 7.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Claude Code versions 2.1.38 through 2.1.163 allowed a worktree named ".git" to be created and navigated to outside the intended sandbox. An attacker could use symlink manipulation paired with git’s fsmonitor task to overwrite files in the user’s home directory, such as ".zshenv", and trigger execution of code with the user’s privileges. The flaw is a classic directory traversal and path confusion vulnerability (CWE‑22, CWE‑59, CWE‑78) that can compromise confidentiality, integrity, and availability.

Affected Systems

The affected vendor is Anthropic, product Claude Code. All releases from 2.1.38 up to but not including 2.1.163 are vulnerable. Version 2.1.163 contains the fix.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity risk; EPSS data is not available, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires the victim to clone a malicious repository containing prompt‑injection content and then invoke Claude Code on that repository. Because the attack is user‑dependent and requires interaction with a malicious repo, the practical exploitability is moderate, but the potential impact remains significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

anthropics

claude-code

affected

Version	Status	Constraints
`>= 2.1.38, < 2.1.163`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Claude Code to version 2.1.163 or later.
Configure the operating environment so that users running Claude Code are confined to a dedicated sandboxed workspace and cannot write outside of it.
Monitor the user’s home directory for unauthorized modifications to critical files such as ".zshenv" and alert if changes are detected.

Generated by OpenCVE AI on June 29, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/anthropics/claude-code/security/advisories/GHSA-7835-87q9-rgvv

History

Mon, 29 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 29 Jun 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163.
Title		Claude Code: Sandbox Escape via Git Worktree Path Confusion Allows Unsandboxed Code Execution
Weaknesses		CWE-22 CWE-59 CWE-78
References		https://github.com/anthropics/claude-code/security/advisories/GHSA-7835-87q9-rgvv
Metrics		cvssV4_0 `{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-29T14:04:00.693Z

Updated: 2026-06-29T15:51:30.130Z

Reserved: 2026-06-16T23:31:22.445Z

Link: CVE-2026-55607

Vulnrichment

Updated: 2026-06-29T15:51:26.139Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-29T16:30:17Z

Weaknesses

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-59
Improper Link Resolution Before File Access ('Link Following')
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object