PT-2026-33883 · Anthropic · Claude-Code

Published

2026-04-21

Updated

2026-05-19

CVE-2026-39861

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Claude Code versions prior to 2.1.64

Description The sandbox in this agentic coding tool failed to prevent sandboxed processes from creating symbolic links (symlinks) pointing to locations outside the workspace. When the unsandboxed process wrote to a path within such a symlink, it followed the link and wrote to the target location outside the workspace without user confirmation. This combination allows a sandbox escape, enabling arbitrary file writes to locations outside the workspace, which could potentially lead to code execution. Exploitation requires the ability to introduce untrusted content into the context window to trigger sandboxed code execution via prompt injection.

Recommendations Update to version 2.1.64 or later.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-61

Related Identifiers

CVE-2026-39861

GHSA-VP62-R36R-9XQP

Affected Products

Claude-Code

PT-2026-33883 · Anthropic · Claude-Code

CVE-2026-39861

Weakness Enumeration

Related Identifiers

Affected Products

References · 17