CVE-2026-39861 — HIGH AI Security Vulnerability

Q: Is CVE-2026-39861 actively exploited?

No confirmed active exploitation of CVE-2026-39861 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-39861?

Update to patched version: @anthropic-ai/claude-code 2.1.64.

Q: What is the CVSS score for CVE-2026-39861?

No CVSS score has been assigned yet.

Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the...

Full CISO analysis pending enrichment.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
@anthropic-ai/claude-code	npm	< 2.1.64	`2.1.64`
115.6K Pushed 4d ago 50% patched ~0d to patch Full package profile →

Do you use @anthropic-ai/claude-code? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.1%

chance of exploitation in 30 days

Higher than 23% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

N/A

Recommended Action

Patch available

Update @anthropic-ai/claude-code to version 2.1.64

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-39861?

Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace without prompting the user for confirmation. This allowed a sandbox escape where neither the sandboxed command nor the unsandboxed app could

Is CVE-2026-39861 actively exploited?

No confirmed active exploitation of CVE-2026-39861 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-39861?

Update to patched version: @anthropic-ai/claude-code 2.1.64.

What is the CVSS score for CVE-2026-39861?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace without prompting the user for confirmation. This allowed a sandbox escape where neither the sandboxed command nor the unsandboxed app could independently write outside the workspace, but their combination could write to arbitrary locations, potentially leading to code execution outside the sandbox. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection. Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to version 2.1.64 or later.