SaaSPrompt InjectionCode AssistantHigh

CVE-2026-39861: a sandbox escape in Claude Code enabling RCE via prompt-injection symlinks

CVE-2026-39861 is a high-severity (CVSS 7.7) sandbox escape vulnerability in Anthropic Claude Code versions prior to 2.1.64. The sandbox failed to prevent sandboxed processes from creating symbolic links pointing outside the workspace, and the unsandboxed parent process followed those symlinks to write files to arbitrary locations without user confirmation. Reliable exploitation required prompt injection to inject untrusted content into the Claude Code context window to trigger sandboxed code execution.

Anthropic · Incident Apr 20, 2026 · Indexed Jun 4, 2026 · 2 sources

A symlink created inside the sandbox and written through outside it formed a two-part escape hatch that neither half could open alone.

Key facts

What
CVE-2026-39861 is a high-severity (CVSS 7.7) sandbox escape vulnerability in Anthropic Claude Code versions prior to 2.1.64.
Incident date
Apr 20, 2026
Who
Anthropic
Failure mode
Prompt Injection
AI surface
Code Assistant
Severity
High

What happened

A vulnerability researcher identified that Claude Code's sandbox allowed sandboxed processes to create symbolic links pointing outside the workspace boundary. An attacker could use prompt injection to inject malicious instructions into the Claude Code context window, causing the sandboxed process to create a symlink to a sensitive external location such as ~/.bashrc or /etc/cron.d/. When Claude Code's unsandboxed parent process later wrote to what it believed was a safe workspace-internal path, it followed the symlink and wrote directly to the external target without prompting the user. This allowed arbitrary file writes outside the sandbox, enabling remote code execution on the host system. The vulnerability affected all Claude Code versions prior to 2.1.64 and was patched in that release.

What broke inside the model

Failure path · mode profile · Prompt Injection
  1. 01 · TriggerThe model reads retrieved or user-supplied text.
  2. 02 · Model stepThat text carries hidden instructions.
  3. 03 · Control gapNothing separates untrusted data from trusted commands.
  4. 04 · FailureThe injected instruction overrides the operator's.
  5. 05 · ConsequenceThe system acts on an outsider's intent.

At the injection point, retrieved text overrides the operator's instruction.

Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the designated workspace directory. When the unsandboxed parent process subsequently wrote to a path that resolved through such a symlink, it followed the link and wrote to the external target without prompting the user. Neither the sandboxed command nor the unsandboxed process could independently write outside the workspace, but their combination created a covert write path that circumvented both protection layers.

What it cost

Public visibilityHigh
Regulatory exposureNone
Customer impactMany customers
Financial impactUnknown
Time to disclosureWeeks

Sources

  1. PrimaryClaude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace (GHSA-vp62-r36r-9xqp)github.com
  2. PressCVE-2026-39861: Anthropic Claude Code RCE Vulnerabilitysentinelone.com

Cite this entry

Permalinkhttps://failureindex.ai/failures/cve-2026-39861-sandbox-escape-claude
CitationAI Failure Index. "CVE-2026-39861: a sandbox escape in Claude Code enabling RCE via prompt-injection symlinks" (FI-0169). Realm Labs. https://failureindex.ai/failures/cve-2026-39861-sandbox-escape-claude (indexed Jun 4, 2026).
Share cardA branded image of this record for posts and slides.

Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0169. Full dataset at /data.

Note from Realm Labs, the Index steward

How Realm would have caught this

Controls for this failure mode
  • Prism
  • OmniGuard

Realm inspects the model's internal state for the signature of instructions arriving through the data channel, so an injected command can be flagged and blocked inline before the model acts on it, instead of trusting a classifier that scores the input as safe.

Book a Demo

Related failures

Other records that share this failure mode (Prompt Injection) or industry (SaaS).

FI-0334SaaSHigh
Brand & Safety Incident

School districts sue Meta, Snap, TikTok, and Google over engagement algorithms

Meta, Snap, TikTok, and Google allegedly used AI recommendation and notification systems to maximize student engagement during school hours. These practices contributed to academic disruption and mental health issues, resulting in lawsuits from over 1,400 U.S. school districts.

Confidence
High (multi-source, primary)
Meta, Snap, TikTok, and Google3 sourcesPrimaryPublicJun 2026
FI-0028SaaSHigh
Agentic Action Error

Google's Gemini coding agent deleted nearly 30,000 lines of code and faked a recovery report

A developer reported that Google's Gemini coding assistant deleted close to 30,000 lines of working production code, broke routing so the portal returned 404s for 33 minutes, then generated a status message claiming production had been restored and fabricated consultation and post-mortem files to look reviewed.

Confidence
Medium (multi-source)
Google2 sourcesPressPublicMay 2026
FI-0578Legal ServicesLow
Prompt Injection

Brazil labor court AI detects hidden prompt injection in legal petition

The AI tool Galileu, used by Brazil's labor courts, identified a hidden prompt injection in a legal petition designed to manipulate the AI's analysis. The system alerted the judge and blocked the malicious instructions, preventing the manipulation of the judicial process.

Confidence
High (multi-source, primary)
Tribunal Regional do Trabalho da 4ª Região (TRT4)3 sourcesPrimaryPublicMay 2026