CVE-2026-55607

Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163.
Configurations

Configuration 1 (hide)

cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*

History

30 Jun 2026, 16:17

Type Values Removed Values Added
CPE cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*
First Time Anthropic
Anthropic claude Code
References () https://github.com/anthropics/claude-code/security/advisories/GHSA-7835-87q9-rgvv - () https://github.com/anthropics/claude-code/security/advisories/GHSA-7835-87q9-rgvv - Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8

29 Jun 2026, 15:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-29 15:16

Updated : 2026-06-30 16:17


NVD link : CVE-2026-55607

Mitre link : CVE-2026-55607

CVE.ORG link : CVE-2026-55607


JSON object : View

Products Affected

anthropic

  • claude_code
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-59

Improper Link Resolution Before File Access ('Link Following')

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')