Claude Code patches symlink sandbox escape enabling arbitrary file writes
TL;DR — A symlink-following flaw in Claude Code’s sandbox can be abused to write files outside the workspace, creating a credible path from prompt injection to code execution beyond the sandbox.
What happened
Claude Code is an AI coding assistant CLI that runs tools/commands against a local repository workspace, attempting to sandbox risky operations.
On April 20, 2026, a GitHub security advisory for @anthropic-ai/claude-code disclosed CVE-2026-39861 (severity: High, CVSS overall score shown as 7.7) describing a sandbox escape via symlink following. Per the advisory, the sandbox did not prevent sandboxed processes from creating symlinks that point outside the workspace; when Claude Code later wrote to a path “within” that symlink, an unsandboxed process followed the symlink and wrote to the external target without prompting for confirmation.
The advisory notes reliable exploitation requires the ability to get untrusted content into a Claude Code context window in a way that triggers sandboxed code execution via prompt injection. This is notable because AI coding assistants increasingly sit on the boundary between untrusted text input and privileged local file/command execution — sandbox correctness and “workspace-only” guarantees are core safety controls in these tools.
Who is impacted
- Teams using the npm package
@anthropic-ai/claude-code. - Users relying on Claude Code’s sandbox guarantees to constrain file writes to the workspace.
| Component | Affected versions | Patched versions |
|---|---|---|
@anthropic-ai/claude-code (npm) | < 2.1.64 | 2.1.64 |
What to do now
- Follow vendor remediation guidance:
Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to the latest version.
- Inventory where Claude Code runs in your org (developer endpoints, CI runners, ephemeral dev environments) and confirm the installed version is patched.
- Treat this as an AI-tooling supply-chain boundary issue: avoid feeding untrusted repository content / issues / PR text / chat logs into privileged Claude Code sessions without additional isolation.
- Where you must run AI coding tools against untrusted inputs, reduce blast radius with OS/container boundaries (least privilege, constrained filesystem access, and explicit workspace mounts only).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.