CuraSec

Act active

Claude Code CVE-2026-39861: sandbox escape via symlink

2026-07-12 11:56 UTC · HN (cve) · read the source ↗ #sandbox-escape#developer-tools#cve
  • Engineer — Act: Public PoC exists for a symlink-based sandbox escape in Claude Code, which engineers and CI/CD pipelines commonly run; update Claude Code to the patched release immediately and audit any pipelines that invoke it with elevated filesystem access.
  • SOC/IR — Learn: Low EPSS (0.01) and no active exploitation campaign; no IOCs or ATT&CK-mappable TTPs are provided, but the symlink sandbox-escape technique is worth noting if Claude Code runs in monitored developer environments.
  • Leader — Skip
  • Signals: CVE-2026-39861 — CISA KEV: not listed, EPSS 0.01, public PoC on GitHub
This entry was curated and judged by AI (Claude) with automated enrichment (CISA KEV / EPSS / public PoC). Verify against the original source before acting. Found a bad verdict? Report it — confirmed errors go to the corrections log.