CVE-2026-55607 in claude-code
Summary
by MITRE • 06/29/2026
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/29/2026
The vulnerability in Claude Code versions 2.1.38 through 2.1.163 represents a critical directory traversal and privilege escalation issue stemming from improper worktree handling within the agentic coding tool. This flaw allowed attackers to manipulate git worktree operations in ways that could bypass sandbox restrictions, creating a pathway for arbitrary code execution outside the intended security boundaries. The vulnerability specifically exploited the interaction between git's filesystem monitoring capabilities and symlink manipulation during worktree creation and navigation processes.
The technical implementation of this vulnerability involves git directory confusion attacks that leverage the ability to create worktrees with the name ".git" and subsequently navigate to worktrees located outside the designated sandbox context. This occurs through a combination of symlink manipulation techniques and the execution of git fsmonitor operations during worktree handling. When Claude Code processes worktree operations, it fails to properly validate or restrict access to git directories that might be referenced through symbolic links, allowing attackers to redirect file operations to arbitrary locations within the filesystem.
The operational impact of this vulnerability extends beyond simple directory traversal, as it enables attackers to overwrite critical user configuration files in the home directory, including sensitive files like .zshenv that could be leveraged for privilege escalation. The attack requires a specific user interaction pattern where the victim must clone a malicious repository containing prompt injection content and subsequently run Claude Code against it, making exploitation somewhat dependent on social engineering factors. However, once executed, this vulnerability allows attackers to execute code outside of the seatbelt sandbox restrictions that are designed to contain potentially malicious operations.
The root cause of this vulnerability aligns with common software security weaknesses documented in CWE categories related to improper input validation and insufficient access control mechanisms. This particular flaw demonstrates how seemingly benign file system operations can be exploited when proper boundary checks are absent, particularly in tools that interact extensively with version control systems. The vulnerability's exploitation pathway connects to ATT&CK techniques involving privilege escalation through malicious configuration files and command execution outside of expected security contexts. Organizations using Claude Code should immediately upgrade to version 2.1.163 or later to mitigate this risk, as the fix addresses the core worktree handling logic that permitted the directory confusion attack vectors. The vulnerability highlights the importance of proper sandboxing mechanisms in development tools and the potential for sophisticated attacks when file system access controls are improperly implemented.