CVE-2026-39861: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in anthropics claude-code
Claude Code versions prior to 2. 1. 64 contain a path traversal vulnerability in their sandbox implementation. The sandbox did not prevent sandboxed processes from creating symbolic links pointing outside the workspace. When the unsandboxed process wrote to a path through such a symlink, it could write outside the intended sandbox without user confirmation. This combination allows sandbox escape and potential code execution outside the sandbox. Exploitation requires injecting untrusted content to trigger sandboxed code execution. Users with standard auto-updates have received the fix; manual update to version 2. 1. 64 or later is advised.
AI Analysis
Technical Summary
CVE-2026-39861 is a path traversal vulnerability (CWE-22) in anthropics Claude Code before version 2.1.64. The sandbox allowed creation of symlinks pointing outside the workspace. When the unsandboxed process wrote to a path within such a symlink, it followed the link and wrote outside the sandbox without user confirmation. This interaction between sandboxed and unsandboxed processes enables sandbox escape and potential arbitrary code execution. Exploitation requires the ability to inject untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection. The vulnerability is fixed in version 2.1.64.
Potential Impact
Successful exploitation can lead to sandbox escape, allowing code execution outside the sandboxed environment. This undermines the security boundary intended to isolate sandboxed processes, potentially enabling unauthorized modification of arbitrary files or execution of arbitrary code on the host system. However, exploitation requires user interaction and the ability to inject untrusted content to trigger sandboxed code execution.
Mitigation Recommendations
Users who rely on standard Claude Code auto-update mechanisms have already received the fix. Those performing manual updates should upgrade to version 2.1.64 or later to remediate this vulnerability. No additional mitigation steps are indicated by the vendor advisory.
CVE-2026-39861: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in anthropics claude-code
Description
Claude Code versions prior to 2. 1. 64 contain a path traversal vulnerability in their sandbox implementation. The sandbox did not prevent sandboxed processes from creating symbolic links pointing outside the workspace. When the unsandboxed process wrote to a path through such a symlink, it could write outside the intended sandbox without user confirmation. This combination allows sandbox escape and potential code execution outside the sandbox. Exploitation requires injecting untrusted content to trigger sandboxed code execution. Users with standard auto-updates have received the fix; manual update to version 2. 1. 64 or later is advised.
CVSS v4.0
Score 7.7high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-39861 is a path traversal vulnerability (CWE-22) in anthropics Claude Code before version 2.1.64. The sandbox allowed creation of symlinks pointing outside the workspace. When the unsandboxed process wrote to a path within such a symlink, it followed the link and wrote outside the sandbox without user confirmation. This interaction between sandboxed and unsandboxed processes enables sandbox escape and potential arbitrary code execution. Exploitation requires the ability to inject untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection. The vulnerability is fixed in version 2.1.64.
Potential Impact
Successful exploitation can lead to sandbox escape, allowing code execution outside the sandboxed environment. This undermines the security boundary intended to isolate sandboxed processes, potentially enabling unauthorized modification of arbitrary files or execution of arbitrary code on the host system. However, exploitation requires user interaction and the ability to inject untrusted content to trigger sandboxed code execution.
Mitigation Recommendations
Users who rely on standard Claude Code auto-update mechanisms have already received the fix. Those performing manual updates should upgrade to version 2.1.64 or later to remediate this vulnerability. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T19:13:20.379Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e70c3119fe3cd2cda1991b
Added to database: 4/21/2026, 5:33:37 AM
Last enriched: 4/28/2026, 6:05:50 AM
Last updated: 6/4/2026, 11:47:47 AM
Views: 168
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.