Cyber Resilience

CVE-2026-55607

HighRCE

Published: 29 June 2026

Published
29 June 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0071 49.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-55607 is a high-severity Path Traversal (CWE-22) vulnerability in Anthropic Claude Code. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 49.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git…

more

fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Path traversal + command injection (CWE-22/78) via malicious worktree allows overwrite of Unix shell profiles (.zshenv), directly enabling Unix Shell execution outside sandbox.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44470Same vendor: Anthropic
CVE-2025-48384Shared CWE-59
CVE-2024-57728Shared CWE-22, CWE-59
CVE-2026-33001Shared CWE-22, CWE-59
CVE-2026-34603Shared CWE-22, CWE-59
CVE-2026-34604Shared CWE-22, CWE-59
CVE-2021-21272Shared CWE-22, CWE-59
CVE-2026-55667Shared CWE-22, CWE-59
CVE-2026-11940Shared CWE-22, CWE-59
CVE-2022-30333Shared CWE-22, CWE-59

Affected Assets

anthropic
claude code
2.1.38 — 2.1.163

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22 CWE-78

Validates pathnames and filenames to prevent traversal outside intended directories.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

References