CVE-2026-55607: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in anthropics claude-code
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163.
AI Analysis
Technical Summary
Claude Code versions >=2.1.38 and <2.1.163 have a path traversal vulnerability in worktree handling that permits attackers to create worktrees named ".git" and access directories outside the intended sandbox. This enables git directory confusion attacks through symlink manipulation and git fsmonitor execution during worktree operations. Successful exploitation can overwrite critical user files like .zshenv in the home directory, leading to code execution beyond seatbelt sandbox restrictions. Exploitation requires user interaction involving cloning a malicious repository and running Claude Code on it. The issue is resolved in version 2.1.163.
Potential Impact
An attacker can overwrite files in the user's home directory, such as .zshenv, which may lead to arbitrary code execution outside of sandbox restrictions. This elevates the risk of system compromise if the user runs Claude Code on a malicious repository. The vulnerability has a high CVSS score of 7.7, indicating significant impact on confidentiality, integrity, and availability with low attack complexity but requiring user interaction.
Mitigation Recommendations
This vulnerability is fixed in Claude Code version 2.1.163. Users should upgrade to version 2.1.163 or later to remediate this issue. No official patch or remediation level is explicitly stated beyond this fix version. Until upgraded, users should avoid running Claude Code on untrusted repositories containing potentially malicious prompt injection content.
CVE-2026-55607: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in anthropics claude-code
Description
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163.
CVSS v4.0
Score 7.7high
Affected software
pkg:github/anthropics/claude-codeRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Claude Code versions >=2.1.38 and <2.1.163 have a path traversal vulnerability in worktree handling that permits attackers to create worktrees named ".git" and access directories outside the intended sandbox. This enables git directory confusion attacks through symlink manipulation and git fsmonitor execution during worktree operations. Successful exploitation can overwrite critical user files like .zshenv in the home directory, leading to code execution beyond seatbelt sandbox restrictions. Exploitation requires user interaction involving cloning a malicious repository and running Claude Code on it. The issue is resolved in version 2.1.163.
Potential Impact
An attacker can overwrite files in the user's home directory, such as .zshenv, which may lead to arbitrary code execution outside of sandbox restrictions. This elevates the risk of system compromise if the user runs Claude Code on a malicious repository. The vulnerability has a high CVSS score of 7.7, indicating significant impact on confidentiality, integrity, and availability with low attack complexity but requiring user interaction.
Mitigation Recommendations
This vulnerability is fixed in Claude Code version 2.1.163. Users should upgrade to version 2.1.163 or later to remediate this issue. No official patch or remediation level is explicitly stated beyond this fix version. Until upgraded, users should avoid running Claude Code on untrusted repositories containing potentially malicious prompt injection content.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-16T23:31:22.445Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a42868627e9c7971906ce07
Added to database: 06/29/2026, 14:51:50 UTC
Last enriched: 06/29/2026, 15:08:27 UTC
Last updated: 06/30/2026, 01:36:21 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.