Claude Code Sandbox Escape via Symlink Following Enables Arbitrary File Write Outside Workspace (CVE-2026-39861)

At a glance

• The issue: Claude Code's sandboxed sub-processes could create symbolic links pointing outside their workspace, and the unsandboxed parent process then followed them when writing files. A prompt-injection attacker can chain this to overwrite arbitrary files anywhere the user can write, with no confirmation prompt.
• Who's affected: Anyone running @anthropic-ai/claude-code before version 2.1.64 who lets the CLI process untrusted content (web pages, repos, documents).
• What to do now: Upgrade @anthropic-ai/claude-code to 2.1.64 (or newer).

Executive Summary

Anthropic's Claude Code CLI (@anthropic-ai/claude-code) before version 2.1.64 contains a sandbox-boundary failure: sandboxed processes were permitted to create symbolic links pointing outside the Claude Code workspace, and the CLI's unsandboxed parent process then followed those symlinks when writing files, without prompting the user for confirmation of the out-of-workspace write (GHSA-vp62-r36r-9xqp). Reliable exploitation requires indirect prompt injection, placing untrusted content into the model's context window so the model steers sandboxed tool calls into creating the symlinks and then steers unsandboxed writes through them (GHSA-vp62-r36r-9xqp). The issue is tracked as CVE-2026-39861 with CWE-22 (Path Traversal) and CWE-61 (UNIX Symbolic Link Following). NVD completed analysis on 2026-04-23 and assigned a Primary CVSS 3.1 score of 10.0 CRITICAL; the GitHub CNA's CVSS 4.0 Secondary is 7.7 HIGH (see the CVSS Divergence section). Fixed in @anthropic-ai/claude-code 2.1.64, published to npm on 2026-03-03T03:19:58.867Z by wolffiex@anthropic.com, shasum 836176c0021436b6d43c28f235006b3236436851 (npm registry, verified 2026-04-23).

Risk Rating

CVSS Divergence

The 2.3-point gap between NVD's CVSS 3.1 Primary (10.0 Critical) and the GitHub CNA's CVSS 4.0 Secondary (7.7 High) is driven by two vector differences:

• UI:N (NVD 3.1) vs UI:P (CNA 4.0). NVD's 3.1 treats the attacker as not requiring user interaction, the victim is already running Claude Code, and untrusted content reaches the model through normal session activity. The CNA's 4.0 encodes user interaction as UI:P (Passive), reflecting that the victim must engage with the untrusted content for the indirect prompt injection to steer the session. Both readings are defensible.
• S:C (NVD 3.1) vs no scope change (CNA 4.0). NVD's 3.1 uses S:C (Scope: Changed) because the sandbox boundary is the security boundary being broken, writes reach resources outside the Claude Code workspace. CVSS 4.0 replaced the Scope metric with Subsequent-System impact metrics (SC:N/SI:N/SA:N here); the CNA scored no subsequent-system impact.

RAXE uses the NVD 3.1 Primary as the reference severity per RAXE publication convention; the CNA 4.0 Secondary is the more operationally-descriptive score because it encodes the prompt-injection precondition in AT:P and the session-engagement prerequisite in UI:P. Practitioners should read both together.

Affected Products

Am I affected?

• Check installation: run npm list -g @anthropic-ai/claude-code or claude --version. Versions below 2.1.64 are affected on every operating system the CLI supports.
• Check workflow exposure: any Claude Code session that processes untrusted content, external PR review, external bug triage, web-page summarisation, cross-repo dependency analysis, summarising external documentation, is an exposure path. Sessions confined to trusted local code are not exposed.
• Check update channel: default auto-update installations have been patched since 2026-03-03. Pinned installs (common in regulated environments), older offline-cached binaries, and installations deliberately held back on a specific version are the remaining exposed population.

Abstract

CVE-2026-39861 is a combined path-traversal (CWE-22) and symlink-following (CWE-61) vulnerability in Claude Code versions before 2.1.64 (NVD; GHSA-vp62-r36r-9xqp). Claude Code executes tool calls inside a sandbox whose boundary is the session's workspace directory. Pre-2.1.64, the sandbox did not prevent sandboxed processes from creating symbolic links whose targets point outside the workspace. Claude Code's unsandboxed parent process, which carries out file writes, then followed those symlinks at write time, landing the write on the attacker-chosen out-of-workspace target without firing the normal user-confirmation prompt (GHSA-vp62-r36r-9xqp, verbatim: "When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace without prompting the user for confirmation"). Reliable exploitation requires indirect prompt injection, planting untrusted content in the model's context window so the model steers the sandboxed symlink creation and the subsequent unsandboxed write. NVD completed analysis on 2026-04-23 and assigned CVSS 3.1 Primary 10.0 CRITICAL on vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H; the GHSA CNA's CVSS 4.0 Secondary is 7.7 HIGH on vector AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The fix landed in @anthropic-ai/claude-code 2.1.64 on 2026-03-03, approximately seven weeks before public disclosure on 2026-04-21, consistent with a coordinated disclosure embargo (GHSA-vp62-r36r-9xqp; npm registry).

Key Findings

1. The primitive is sandbox-boundary violation via symlink, not a sandbox-escape via exploit code. The sandboxed process does not need to find a memory-corruption bug or a sandbox escape exploit; it only needs to create a symlink. The unsandboxed parent's subsequent file write follows the symlink and does the actual boundary crossing (GHSA-vp62-r36r-9xqp).
2. Indirect prompt injection is the required delivery mechanism. The advisory explicitly states that reliable exploitation requires the ability to add untrusted content into a Claude Code context window (GHSA-vp62-r36r-9xqp). The attacker therefore needs a content-delivery channel, PR body, external repo README, web page the user asks Claude to summarise, not a network foothold.
3. The unsandboxed parent does not re-validate the write path after symlink resolution. This is the specific design gap; the fix in 2.1.64 is expected to close it by either rejecting out-of-workspace symlinks at sandbox-creation time or resolving symlinks before the confirmation prompt fires (RAXE assessment, the advisory does not detail the fix mechanism).
4. NVD's 10.0 Primary is striking but defensible. A CVSS 3.1 score at the ceiling is rare. The S:C/UI:N/PR:N combination reflects that (a) the sandbox boundary being breached is a security scope, and (b) the attacker's content, once it reaches the model, does not require further victim interaction to complete the chain. The CNA's 7.7 CVSS 4.0 encodes the delivery prerequisites more precisely; both scores belong in the public record (RAXE assessment).
5. Seven-week embargo, zero-day patch distribution via auto-update. The fix shipped to npm on 2026-03-03, disclosure landed 2026-04-21; auto-update users had the fix for seven weeks before the advisory dropped. This is the intended shape of coordinated disclosure and leaves only pinned installs exposed by the time the advisory is public (RAXE assessment based on the npm publish timestamps).

Attack Flow

Attacker prepares untrusted content (PR body, external README,
web page, bug report) carrying an indirect-prompt-injection payload.

        |
        | Victim runs `claude` session; content lands in model context
        v

Claude Code (< 2.1.64) model, steered by the injection, issues
sandboxed tool calls that create:

    ln -s  $HOME/.ssh/authorized_keys   ./workspace/.cache/result.txt
          (target: outside workspace)   (path: inside workspace)

        |
        | Model, still steered by the injection, issues an
        | unsandboxed file-write to the in-workspace path
        v

Claude Code unsandboxed parent:
    open("./workspace/.cache/result.txt", O_WRONLY | O_CREAT)
    -> kernel symlink resolution follows the link
    -> file descriptor points at $HOME/.ssh/authorized_keys
    -> attacker-chosen content is written to $HOME/.ssh/authorized_keys
    -> NO confirmation prompt fires

Outcome: arbitrary file write under the developer's user account.

Target path in the diagram ($HOME/.ssh/authorized_keys) is illustrative; the advisory does not enumerate specific post-exploit targets. The class of reachable targets is "anything writable under the developer's user account" (RAXE assessment).

Technical Details

Vulnerability mechanics (per GHSA-vp62-r36r-9xqp)

Claude Code's execution sandbox enforces workspace boundaries for sandboxed tool processes. Pre-2.1.64, that enforcement did not include a check that symbolic links created by sandboxed processes targeted in-workspace destinations only (GHSA-vp62-r36r-9xqp). The unsandboxed parent, which performs file writes as part of normal Claude Code operation, did not re-validate the effective write path after symlink resolution. Writes to in-workspace paths that happened to be symlinks therefore landed wherever the symlinks pointed, including sensitive $HOME-relative targets.

The two CWE mappings decompose the failure cleanly:

• CWE-22 (Path Traversal). The resolved path from inside the workspace crosses the intended directory boundary.
• CWE-61 (UNIX Symbolic Link Following). The specific resolution mechanism is symlink traversal at write time.

Both CWEs are recorded in NVD as Primary assignments from the GitHub CNA (security-advisories@github.com) and adopted by NVD as the authoritative CWE mapping for this record (NVD); vendor and NVD therefore agree on the vulnerability class.

Required delivery mechanism

The advisory quotes: "Reliably exploiting this required the ability to add untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection" (GHSA-vp62-r36r-9xqp). Reliable exploitation therefore requires:

1. A channel to introduce untrusted content into the model's context: a PR body, an external README, a web page Claude is asked to summarise, an external bug report, or any similar ingress.
2. An indirect-prompt-injection payload inside that content that steers the model into (a) creating the symlink via a sandboxed tool call, and (b) subsequently writing to the in-workspace path via an unsandboxed tool call.
3. The attacker does not need network reachability, prior authentication, or a compromise of Anthropic's infrastructure.

Fix

@anthropic-ai/claude-code@2.1.64 shipped on npm at 2026-03-03T03:19:58.867Z, publisher wolffiex@anthropic.com, tarball shasum 836176c0021436b6d43c28f235006b3236436851 (npm registry, queried 2026-04-23). The prior release 2.1.63 was published 2026-02-28T02:43:42.865Z. The advisory does not describe the fix mechanism in detail; RAXE infers (and tags as such) that 2.1.64 adds symlink-target validation inside the sandbox and/or symlink resolution plus out-of-workspace confirmation at the unsandboxed-write stage. Source tree not audited (RAXE assessment).

Confidence & Validation

Assessment Confidence: High

Detection Signatures

Full Sigma rules published alongside this advisory as detection/claude-code-symlink-escape.yml:

• Symlink Creation From Claude Code Workspace Targeting Sensitive Path, file_event + syscall-level rule that fires when a sandboxed-or-unsandboxed Claude Code process creates a symlink whose target resolves to $HOME/.ssh/, shell init files, AWS / npm / pypi credential files, or editor config. High-fidelity pre-exploit signal on pre-2.1.64 Claude Code.
• Claude Code Workspace Write Through Out-Of-Workspace Symlink, exploitation-in-progress signal. Requires EDR telemetry that logs both the as-presented write path and the resolved target; the rule covers the moment the unsandboxed parent resolves the symlink and the write lands outside the workspace.
• Claude Code Launch On Developer Workstation (correlation seed), broad base rule for backend correlation. Equivalent to the seed rule shipped with RAXE's earlier Claude Code Windows LPE coverage; if that deployment is already in place, this seed can be suppressed in favour of the prior one.

Detection & Mitigation

Priority 1, patch. Upgrade @anthropic-ai/claude-code to 2.1.64 or later. Default auto-update channels have carried the fix since 2026-03-03; manual-update and pinned installs are the remaining exposure.

Priority 2, audit past sessions for the exposure window. For installations that ran any < 2.1.64 build before the patch-adoption date, review Claude Code session logs for external-content ingestion combined with symlink creation inside workspaces. The 2.1.63 publish date (2026-02-28) is a useful recent-window anchor, not the start of affected versions. Escalate any symlink whose target resolves into $HOME sensitive paths.

Priority 3, rotate credentials for confirmed-exposed sessions. On hosts where a pre-2.1.64 Claude Code session processed untrusted content during the exposure window, rotate any credentials stored under the user's $HOME that a file-write primitive could have overwritten, SSH keys, AWS/npm/pypi tokens, and shell-init scripts that carry secrets.

Priority 4, deploy the Sigma content referenced above. The file-event rules require symlink-syscall and symlink-resolution telemetry; on Linux/macOS this is auditd/Sysmon-for-Linux; on Windows it is EDR-native file-event enrichment.

Priority 5, adopt indirect-prompt-injection hygiene. Where organisations run Claude Code against external content routinely (bug triage, external PR review, documentation summarisation), separate those sessions from sessions that handle sensitive local code and credentials. This is workflow-level defence-in-depth, not a fix for the vulnerability.

Indicators of Compromise

No file-hash or network-indicator IoCs are available, the attack primitive is structural (RAXE assessment).

Strategic Context

This is the fifth Claude Code advisory RAXE has covered, following earlier coverage of trusted-domain validation, workspace-trust dialog bypass, an OS command injection, and the Windows ProgramData LPE. The five findings form an increasingly clear pattern: Claude Code's trust-boundary assumptions are being systematically probed by external researchers, and Anthropic's response cadence is keeping up, 2.1.64 shipped roughly seven weeks before the 2026-04-21 advisory drop, and the later Windows LPE patched rapidly after its separate disclosure.

Two strategic implications worth naming for forward-looking work:

1. Sandbox-boundary bugs in agentic CLIs are their own class. The specific primitive here, "sandboxed process plants a symlink, unsandboxed parent follows it", is a known-class Unix security pattern (CWE-61 has existed for decades), but its appearance inside agentic tooling is a new context. Sandbox architectures for agentic CLIs must re-audit every pre-write file operation for symlink re-validation, not just the sandboxed side of the boundary (RAXE assessment).
2. Indirect prompt injection is the reliable delivery mechanism for agentic-CLI sandbox escapes. Every non-trivial Claude Code advisory in this series has had prompt injection, indirect or direct, as at least part of the chain. The class of bug is shifting from "direct network RCE" to "LLM-steered abuse of tool primitives", a detection and policy shift the defender community is still catching up to (RAXE assessment).

For enterprise defenders the practical posture is: Claude Code is a trusted-but-verify endpoint; pin or auto-update with discipline; and treat sessions that ingest untrusted content as a distinct telemetry category.

References

1. GHSA-vp62-r36r-9xqp, Claude Code sandbox escape via symlink following, https://github.com/anthropics/claude-code/security/advisories/GHSA-vp62-r36r-9xqp (accessed 2026-04-23; published 2026-04-21; the advisory description credits hackerone.com/philts as the reporter, GitHub's structured credits API field is empty for this advisory, so the attribution lives in the description body only).
2. NVD, CVE-2026-39861, https://nvd.nist.gov/vuln/detail/CVE-2026-39861 (accessed 2026-04-23; NVD status Analyzed, analysis completed 2026-04-23; NVD CVSS 3.1 Primary 10.0 CRITICAL; CWE-22 + CWE-61 Primary).
3. npm registry, @anthropic-ai/claude-code 2.1.64 manifest, https://registry.npmjs.org/@anthropic-ai/claude-code/2.1.64 (publish time 2026-03-03T03:19:58.867Z, shasum 836176c0021436b6d43c28f235006b3236436851, publisher wolffiex@anthropic.com, verified 2026-04-23).
4. FIRST.org EPSS, CVE-2026-39861, https://api.first.org/data/v1/epss?cve=CVE-2026-39861 (0.00104, 28.3rd percentile, 2026-04-23).