Claude Code CVE-2026-39861: symlink-assisted sandbox escape fixed
A recent advisory describes a flaw in Claude Code’s sandbox that allowed writes outside the intended workspace by combining a sandboxed process with an unsandboxed helper. The issue involved symbolic links (symlinks): a sandboxed command could create a symlink that pointed outside the workspace, and when Claude Code later wrote to a path inside that symlink, an unsandboxed process followed the link and wrote to the external location without prompting the user.
Why it matters
Tools that execute code on your behalf rely on strict boundaries. When those boundaries can be bridged—even indirectly—local files, configuration, or startup paths may be modified in ways the user did not intend. The advisory notes that this behavior could lead to writes at arbitrary locations and “potentially” to code execution outside the sandbox. It also notes that reliably triggering this required the ability to add untrusted content into a Claude Code context window to induce sandboxed code execution via prompt injection.
What the advisory confirms
According to the GitHub advisory (CVE-2026-39861), the sandbox did not prevent creation of symlinks pointing beyond the workspace. An unsandboxed part of Claude Code subsequently honored those links and wrote to their targets without user confirmation. The combination enabled a write outside the workspace that neither component could perform on its own. The vendor reports that users on standard auto-update have already received the fix, and users who update manually should move to the latest version.
What remains unclear
The advisory text available does not list affected versions, platforms, or a public exploit. It also does not state whether the issue was exploited in the wild. Those details may be clarified in future vendor notes, but they are not present in the referenced summary.
Practical next steps
- Claude Code users: ensure the application is updated to the latest release. The advisory states that auto-update users received the fix automatically; manual-update users should update now.
Related note: jotty.page path traversal (CVE-2026-42564)
In a separate advisory, the self-hosted notes app jotty.page had an unauthenticated path traversal in the endpoint /api/app-icons/[filename]. Prior to version 1.22.0, the filename parameter was joined into a filesystem path without proper traversal or boundary checks, allowing file reads outside data/uploads/app-icons/. Encoded traversal sequences such as ..%2F..%2F could bypass the intended directory restrictions. The issue is fixed in 1.22.0. The advisory highlights the risk of sensitive file disclosure from this flaw.
Closing thoughts
Both cases revolve around trust boundaries at the file-system layer: one through symlinks that blur the line between sandbox and host, and the other through insufficient validation of user-supplied paths. The confirmed guidance is straightforward—update Claude Code to the latest version and, for jotty.page, upgrade to 1.22.0. Additional technical details, including precise affected versions for Claude Code, have not been provided in the referenced summaries.
https://github.com/advisories/GHSA-vp62-r36r-9xqp
Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.
Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!
