Skip to main content

Claude Code EUVDEUVD-2026-40117

| CVE-2026-55607 HIGH
Path Traversal (CWE-22)
2026-06-29 GitHub_M
7.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.3 HIGH

Malicious repo is network-delivered (AV:N) but needs symlink/fsmonitor chaining (AC:H) and the victim to clone and run the tool (UI:R); the sandbox escape changes scope (S:C) with full host code execution (C/I/A:H).

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 29, 2026 - 16:01 EUVD
Analysis Generated
Jun 29, 2026 - 15:19 vuln.today

DescriptionCVE.org

Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163.

AnalysisAI

Sandbox escape and code execution in Anthropic's Claude Code CLI (versions 2.1.38 through 2.1.162) lets a malicious repository break out of the macOS seatbelt sandbox by abusing git worktree handling. By creating a worktree named ".git" and combining symlink manipulation with git fsmonitor execution, an attacker can overwrite files in the user's home directory such as .zshenv to achieve code execution outside the sandbox. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Victim clones malicious repository
Delivery
Run Claude Code against repo
Exploit
Worktree named .git confuses git directory
Execution
fsmonitor executes with symlink redirection
Persist
Overwrite ~/.zshenv in home directory
Impact
Shell sources file, code runs outside sandbox

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to clone a malicious repository containing prompt-injection content and then run Claude Code (versions 2.1.38-2.1.162) against it; the repo must carry a git worktree named ".git" and rely on symlink manipulation plus git fsmonitor execution during worktree operations to redirect writes into the home directory (for example overwriting .zshenv). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H, base 7.7) signals network delivery with no authentication but with a present attack requirement (AT:P) and passive user interaction, which aligns with the description: the attacker needs no credentials, but the victim must clone a malicious repo and run Claude Code against it, and a prompt-injection/setup condition must hold. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes an attractive open-source repository seeded with prompt-injection content and a crafted git worktree named ".git" plus malicious symlinks and fsmonitor configuration. A developer clones it and runs Claude Code against the project; during worktree operations git executes the attacker-controlled fsmonitor program and writes are redirected via symlinks to overwrite ~/.zshenv. …
Remediation Vendor-released patch: 2.1.163 - upgrade Claude Code to 2.1.163 or later, which fixes the worktree handling, per advisory GHSA-7835-87q9-rgvv (https://github.com/anthropics/claude-code/security/advisories/GHSA-7835-87q9-rgvv). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit installed Claude Code CLI versions across macOS endpoints to identify users on versions 2.1.38-2.1.162. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-35022 CRITICAL POC
9.3 Apr 06

OS command injection in Anthropic Claude Code CLI and Agent SDK for Python allows remote, unauthenticated attackers to e

CVE-2026-35020 HIGH POC
8.6 Apr 06

OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python allows local attackers to execute arbi

CVE-2026-35021 HIGH POC
8.4 Apr 06

OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python enables arbitrary command execution vi

CVE-2026-25725 CRITICAL
10.0 Feb 06

Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code

CVE-2025-66032 CRITICAL POC
9.8 Dec 03

Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and shor

CVE-2026-25722 CRITICAL
9.1 Feb 06

Claude Code prior to version 2.0.57 failed to properly validate MCP tool inputs, allowing malicious MCP servers to injec

CVE-2025-59536 HIGH POC
8.8 Oct 03

Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the sta

CVE-2026-24887 HIGH POC
8.8 Feb 03

Claude Code versions before 2.0.72 allow authenticated attackers to execute arbitrary commands by exploiting a command p

CVE-2026-39861 HIGH POC
7.7 Apr 21

Sandbox escape in Claude Code versions prior to 2.1.64 enables arbitrary file writes outside the workspace by exploiting

CVE-2025-59828 HIGH
7.7 Sep 24

Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no au

CVE-2026-21852 HIGH POC
7.5 Jan 21

Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious reposi

CVE-2026-24052 HIGH
7.4 Feb 03

Claude Code versions prior to 1.0.111 fail to properly validate trusted domains for WebFetch requests, allowing attacker

Share

EUVD-2026-40117 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy