CVE-2026-39861: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in anthropics claude-code
CVE-2026-39861 is a path traversal vulnerability in anthropics Claude Code prior to version 2. 1. 64. The sandbox did not prevent sandboxed processes from creating symbolic links pointing outside the workspace. When the unsandboxed process wrote to a path within such a symlink, it followed the link and wrote outside the workspace without user confirmation. This allowed a sandbox escape by combining sandboxed and unsandboxed process behaviors, potentially enabling code execution outside the sandbox. Exploitation requires the ability to inject untrusted content into a Claude Code context window to trigger sandboxed code execution. Users with standard auto-update have received the fix automatically; manual update to version 2. 1. 64 or later is advised.
AI Analysis
Technical Summary
Claude Code versions before 2.1.64 contain a path traversal vulnerability (CWE-22) where sandboxed processes can create symlinks to locations outside the workspace. The unsandboxed process then follows these symlinks when writing files, allowing writes outside the intended sandbox boundaries without user confirmation. This interaction enables a sandbox escape, potentially leading to arbitrary code execution outside the sandbox environment. Exploitation requires prompt injection to execute sandboxed code with untrusted input. The vulnerability has a CVSS 4.0 score of 7.7 (high severity). The fix is included in version 2.1.64, and users with auto-update have been patched automatically.
Potential Impact
Successful exploitation can lead to sandbox escape, allowing an attacker to write to arbitrary locations outside the sandbox. This could potentially result in code execution outside the sandbox environment. However, exploitation requires the ability to inject untrusted content into a Claude Code context window to trigger sandboxed code execution. There are no known exploits in the wild at this time.
Mitigation Recommendations
Users who rely on standard Claude Code auto-update have already received the fix. Users performing manual updates should upgrade to version 2.1.64 or later to remediate this vulnerability. Patch status is not explicitly confirmed in the vendor advisory, but the description states the fix is included in version 2.1.64, indicating an official fix is available.
CVE-2026-39861: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in anthropics claude-code
Description
CVE-2026-39861 is a path traversal vulnerability in anthropics Claude Code prior to version 2. 1. 64. The sandbox did not prevent sandboxed processes from creating symbolic links pointing outside the workspace. When the unsandboxed process wrote to a path within such a symlink, it followed the link and wrote outside the workspace without user confirmation. This allowed a sandbox escape by combining sandboxed and unsandboxed process behaviors, potentially enabling code execution outside the sandbox. Exploitation requires the ability to inject untrusted content into a Claude Code context window to trigger sandboxed code execution. Users with standard auto-update have received the fix automatically; manual update to version 2. 1. 64 or later is advised.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Claude Code versions before 2.1.64 contain a path traversal vulnerability (CWE-22) where sandboxed processes can create symlinks to locations outside the workspace. The unsandboxed process then follows these symlinks when writing files, allowing writes outside the intended sandbox boundaries without user confirmation. This interaction enables a sandbox escape, potentially leading to arbitrary code execution outside the sandbox environment. Exploitation requires prompt injection to execute sandboxed code with untrusted input. The vulnerability has a CVSS 4.0 score of 7.7 (high severity). The fix is included in version 2.1.64, and users with auto-update have been patched automatically.
Potential Impact
Successful exploitation can lead to sandbox escape, allowing an attacker to write to arbitrary locations outside the sandbox. This could potentially result in code execution outside the sandbox environment. However, exploitation requires the ability to inject untrusted content into a Claude Code context window to trigger sandboxed code execution. There are no known exploits in the wild at this time.
Mitigation Recommendations
Users who rely on standard Claude Code auto-update have already received the fix. Users performing manual updates should upgrade to version 2.1.64 or later to remediate this vulnerability. Patch status is not explicitly confirmed in the vendor advisory, but the description states the fix is included in version 2.1.64, indicating an official fix is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T19:13:20.379Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e70c3119fe3cd2cda1991b
Added to database: 4/21/2026, 5:33:37 AM
Last enriched: 4/21/2026, 5:34:05 AM
Last updated: 4/21/2026, 7:46:28 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.