Anthropic fixed Claude Code sandbox bypass quietly

Anthropic patched another Claude Code sandbox-bypass flaw without issuing a public advisory, according to a May 21 report by Cybernews. The report said security researcher Aonan Guan disclosed the issue through HackerOne on April 3 and was told the next day that Anthropic had already identified and fixed it internally. Cybernews said no CVE had been assigned as of publication and that users were not notified through a public security bulletin. Anthropic’s own engineering materials describe network isolation as a core control meant to stop a prompt-injected agent from leaking sensitive data. ### Which Claude Code protection was bypassed? Anthropic said in an October 20, 2025 engineering post that Claude Code sandboxing relies on two boundaries: filesystem isolation and network isolation. The company wrote that network isolation is intended to ensure Claude Code “can only connect to approved servers,” and said that without it, a compromised agent could exfiltrate files such as SSH keys. (cybernews.com) Cybernews reported that Guan’s latest finding targeted that network boundary. The outlet said the flaw exploited differences in how Claude Code’s sandbox and the operating system interpreted host names, allowing code running inside the sandbox to connect to an attacker-controlled server despite outbound restrictions. ### Who found the flaw, and what did he say happened? (anthropic.com) Aonan Guan, identified by Cybernews as head of cloud and AI security at Wyze Labs, said this was the second sandbox flaw he had reported in about six months. Cybernews said Guan submitted the report to Anthropic through HackerOne on April 3 and received a reply on April 4 saying the issue was a duplicate of an internal finding that had already been patched. (cybernews.com) Cybernews said Guan asked whether Anthropic planned a public disclosure and was told the company had “not yet decided” whether to publish a CVE and could not provide a timeline. Guan told the outlet that the lack of disclosure could leave organizations unaware they had been running a vulnerable version. ### What versions were exposed, and what was the risk? (cybernews.com) Cybernews reported that every Claude Code release from 2.0.24 through 2.1.89 was affected. The report said the bypass could have let attackers exfiltrate credentials, source code and internal data from inside the sandbox. The Register, citing the same researcher, reported that two patched bypass bugs in Claude Code’s network sandbox could allow data inside the sandbox — including credentials, source code and other private information — to be sent to any server on the internet. (cybernews.com) Cybernews said Guan viewed the flaw as especially dangerous when paired with prompt injection through material Claude Code reads, such as a GitHub issue comment, README or documentation page. ### Has Anthropic disclosed other Claude Code flaws publicly? GitLab’s advisory database lists multiple 2026 Claude Code vulnerabilities with CVE identifiers, including CVE-2026-39861, a sandbox escape via symlink handling, and CVE-2026-33068, a workspace-trust dialog bypass through a repo-controlled settings file. The database entry for CVE-2026-25723 says users on the standard Claude Code auto-update path received that fix automatically, while manual updaters needed to update themselves. (theregister.com) CSO Online reported in April that researchers had identified another Claude Code weakness from leaked source code and described it as a vulnerability Anthropic had already fixed. That report, together with the Cybernews account, shows Anthropic has patched some Claude Code issues before broad public writeups appeared. (advisories.gitlab.com) ### What can users check now? Anthropic’s published security guidance still says effective Claude Code sandboxing depends on both filesystem and network isolation. Users who rely on Claude Code in autonomous or low-prompt modes can compare their installed version against the affected range reported by Cybernews and watch for any future Anthropic disclosure or CVE assignment tied to Guan’s April 3 HackerOne report. (anthropic.com) (csoonline.com)