EXECUTIVE SUMMARY:
CVE-2026-39861 with a CVSS score of 7.5 is a path traversal vulnerability in npm/@anthropic-ai/claude-code, affecting versions prior to 2.1.64. The vulnerability arises from Claude Code's sandbox not preventing sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently writes to a path within such a symlink, its unsandboxed process follows the symlink and writes to the target location outside the workspace without prompting the user for confirmation, enabling a sandbox escape. An attacker can exploit this vulnerability by adding untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection, requiring the ability to manipulate the sandboxed environment. This allows the attacker to gain the capability to write to arbitrary locations, potentially leading to code execution outside the sandbox. The business impact and consequences of exploitation include unauthorized access to sensitive data and potentially malicious code execution. Exploitation is possible under the condition that the attacker can manipulate the Claude Code context window.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-39861 with a CVSS score of 7.5 is a path traversal vulnerability in npm/@anthropic-ai/claude-code, affecting versions prior to 2.1.64. The vulnerability arises from Claude Code's sandbox not preventing sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently writes to a path within such a symlink, its unsandboxed process follows the symlink and writes to the target location outside the workspace without prompting the user for confirmation, enabling a sandbox escape. An attacker can exploit this vulnerability by adding untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection, requiring the ability to manipulate the sandboxed environment. This allows the attacker to gain the capability to write to arbitrary locations, potentially leading to code execution outside the sandbox. The business impact and consequences of exploitation include unauthorized access to sensitive data and potentially malicious code execution. Exploitation is possible under the condition that the attacker can manipulate the Claude Code context window.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update claude-code to version 2.1.64.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-vp62-r36r-9xqp