CVE-2026-39861: Sandbox Escape via Symlink Following in Anthropic Claude Code

Claude Code is an agentic coding tool that executes commands within a restricted sandbox environment to prevent unintended modifications to the host system. The sandbox is designed to isolate the AI agent's operations, restricting file system access to a designated workspace directory. This isolation is critical for safely processing untrusted context or executing code generated by the language model.

In versions prior to 2.1.64, the security boundary between the restricted sandbox and the privileged host process contained a fundamental flaw. The sandbox environment failed to prevent the creation of symbolic links. Sandboxed processes could freely execute commands such as ln -s to create symlinks pointing to arbitrary locations outside the designated workspace directory.

While creating the symlink itself does not directly compromise the system, the vulnerability manifests during subsequent file operations. The unsandboxed host process, which manages file persistence with the full privileges of the user, processes file write requests generated by the agent. This host process did not adequately validate the canonicalized path of the target file, resulting in a classic Symlink Following vulnerability (CWE-61).

When the agent requests a write operation to a path within the workspace that is actually a symlink, the unsandboxed host process blindly follows the link. This combined failure allows an attacker to achieve arbitrary file writes outside the workspace, completely bypassing the intended sandbox restrictions.

The vulnerability stems from a two-part failure in the application's architectural security boundary. The primary flaw resides in the permissive nature of the sandbox environment. The execution constraints placed on the agent did not filter or hook system calls related to symbolic link creation, permitting the unrestricted execution of the UNIX ln command within the workspace.

The secondary, critical flaw exists in the unsandboxed main Claude Code application. This host process handles file writing operations on behalf of the agent to persist changes. It utilized standard file system APIs, such as Node.js fs.writeFile or equivalent native functions. By default, these standard APIs automatically traverse symbolic links to write to the ultimate target destination.

The host process implemented a flawed authorization check. It verified that the requested write path logically resided within the workspace directory string, but it failed to canonicalize the path before performing this verification. Without utilizing functions like fs.realpath to resolve all symbolic links and verify the final absolute path against the workspace boundary, the host process lacked true visibility into the actual write destination.

Exploiting this vulnerability requires chaining the symlink flaw with a Prompt Injection attack. The attacker must introduce malicious instructions into the Claude Code context window. This is typically achieved by placing untrusted content into a file the agent will process, such as a repository's README.md, an issue description, or downloaded web snippets.

The injected prompt overrides the agent's system instructions and dictates a specific sequence of actions. The first required action instructs the agent to create a symbolic link within the current workspace. For example, the prompt commands the execution of ln -s /home/user/.ssh/authorized_keys ./temp_workspace_link. The sandbox permits this operation, establishing the bridge to the host system.

The second required action triggers the vulnerability. The prompt instructs the agent to utilize its file-writing capability to output specific data to the newly created ./temp_workspace_link. The agent constructs the write request containing the attacker's payload, such as a malicious SSH public key, and forwards it to the host process.

The privileged host process receives the request, determines that ./temp_workspace_link is a permitted path string, and initiates the write operation. The operating system transparently resolves the symlink, routing the attacker's payload to /home/user/.ssh/authorized_keys. The host process completes the operation without prompting the user for confirmation.

The direct impact of CVE-2026-39861 is arbitrary file write capability on the host system. The attacker achieves the exact privileges of the user executing the Claude Code application. This fundamentally breaks the core security promise of the sandbox, exposing the entire host environment to malicious modifications.

Arbitrary file writes frequently lead to total system compromise. By overwriting specific configuration files, an attacker can establish persistent access or achieve arbitrary code execution. Common targets include ~/.ssh/authorized_keys for remote SSH access, ~/.bashrc or ~/.zshrc for command execution upon the next terminal session, or modifying existing system binaries and scripts in the user's $PATH.

The vulnerability holds a CVSS 4.0 score of 7.7, categorized as High severity. The vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N accurately reflects the required attack conditions. The Attack Vector is Network (N) due to the reliance on untrusted external context, and Attack Requirements are Present (P) because the attacker requires the prompt injection payload to be processed.

User Interaction is categorized as Passive (P). The user must initiate the Claude Code tool within a project containing the malicious context. However, the user is entirely unaware of the subsequent malicious actions, as the host process does not generate confirmation prompts when traversing the symlinks created by the sandboxed agent.

The definitive remediation for CVE-2026-39861 is updating the Claude Code installation. Anthropic addressed this vulnerability in version 2.1.64. Users utilizing standard package managers should execute npm install -g @anthropic-ai/claude-code@latest to ensure the patched version is installed and active on their systems.

The architectural fix requires strict path canonicalization within the unsandboxed host process. Before opening any file handles or initiating write operations, the host process must resolve the intended target path using functions equivalent to Node.js fs.realpath. The resulting absolute path must then be explicitly verified to ensure it resides entirely within the designated workspace directory boundary.

Security and detection engineering teams can implement monitoring to identify exploitation attempts. Endpoint Detection and Response (EDR) solutions should flag the execution of the ln -s command originating from the claude binary or its associated child process trees. This behavior is anomalous within standard AI agent workflows and serves as a strong indicator of compromise.

Additionally, File Integrity Monitoring (FIM) should be configured to alert on unexpected modifications to sensitive user profile directories. Unexpected writes to ~/.ssh/, shell configuration files, or sensitive environment variable files originating from Node.js processes associated with Claude Code should trigger immediate security review.