Cyber Resilience

CVE-2026-39861

High

Published: 21 April 2026

Published
21 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 39.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-39861 is a high-severity Path Traversal (CWE-22) vulnerability in Anthropic Claude Code. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 39.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Adversarial Attacks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-39861 is a critical sandbox escape vulnerability (CVSS 3.1 score of 10.0) affecting Claude Code, an agentic coding tool, in versions prior to 2.1.64. The issue stems from the sandbox failing to prevent sandboxed processes from creating symbolic links (symlinks) that point to locations outside the designated workspace (CWE-22: Path Traversal, CWE-61). When the unsandboxed Claude Code process subsequently writes to a path resolved through such a symlink, it follows the link and writes to arbitrary target locations outside the workspace without user confirmation, bypassing sandbox restrictions.

Exploitation requires an attacker to inject untrusted content into a Claude Code context window, enabling prompt injection to trigger execution of malicious sandboxed code that creates the symlink. Remote attackers with network access (AV:N) can achieve this with low complexity, no privileges, and no user interaction (AC:L/PR:N/UI:N), leading to a scope change (S:C). Successful exploitation allows arbitrary file writes outside the sandbox—neither the sandboxed command nor the unsandboxed app can independently write externally, but their combination enables this—potentially resulting in code execution with the privileges of the unsandboxed process.

The GitHub security advisory (GHSA-vp62-r36r-9xqp) recommends updating to Claude Code version 2.1.64 or later to mitigate the vulnerability. Users on standard auto-update channels have received the fix automatically, while those performing manual updates must apply it explicitly. The vulnerability was published on 2026-04-21.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink,…

more

its unsandboxed process followed the symlink and wrote to the target location outside the workspace without prompting the user for confirmation. This allowed a sandbox escape where neither the sandboxed command nor the unsandboxed app could independently write outside the workspace, but their combination could write to arbitrary locations, potentially leading to code execution outside the sandbox. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection. Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to version 2.1.64 or later.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Adversarial Attacks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude, prompt injection

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability enables remote exploitation of a client-side coding tool via prompt injection to execute sandboxed code creating symlinks for path traversal, allowing arbitrary file writes outside the sandbox with unsandboxed process privileges, directly facilitating client execution (T1203) and privilege escalation via sandbox escape (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24887Same product: Anthropic Claude Code
CVE-2025-54794Same product: Anthropic Claude Code
CVE-2026-33068Same product: Anthropic Claude Code
CVE-2025-65099Same product: Anthropic Claude Code
CVE-2025-59041Same product: Anthropic Claude Code
CVE-2026-25724Same product: Anthropic Claude Code
CVE-2026-25725Same product: Anthropic Claude Code
CVE-2026-24052Same product: Anthropic Claude Code
CVE-2025-64755Same product: Anthropic Claude Code
CVE-2026-25722Same product: Anthropic Claude Code

Affected Assets

anthropic
claude code
≤ 2.1.64

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-39 enforces process isolation in the sandbox to prevent sandboxed processes from creating symlinks pointing to locations outside the workspace.

prevent

SI-10 requires validation of untrusted content input to the Claude Code context window to block prompt injection that triggers malicious symlink-creating code.

preventrecover

SI-2 mandates timely flaw remediation through updating to Claude Code version 2.1.64 or later, directly fixing the symlink sandbox escape vulnerability.

References