The Register: Claude sandbox hole fixed

The Register reported on May 20 that Anthropic had fixed a vulnerability in Claude Code’s network sandbox after security researchers said the bypass was “real and dangerous.” The report said the issue could let an attacker send data from inside the sandbox to any server on the internet, including credentials, source code and other private information. (anthropic.com) Anthropic has publicly described Claude Code’s sandbox as a core defense against prompt injection. (github.com) In an October 20, 2025 engineering post, the company said network isolation was designed to ensure Claude could connect only to approved servers and to prevent a prompt-injected agent from leaking sensitive files such as SSH keys. The dispute in this story is not whether sandboxing matters. Anthropic’s own documentation says it does. The question is whether a hole in that protection was fixed without the kind of public notice security teams usually expect. (theregister.com) ### What was Claude Code’s sandbox supposed to prevent? Anthropic said on October 20, 2025 that Claude Code’s sandbox relied on two boundaries: filesystem isolation and network isolation. The company wrote that network isolation was meant to stop a compromised or prompt-injected agent from exfiltrating sensitive files or downloading malware. (anthropic.com) Claude Code is marketed by Anthropic as an agentic coding system that can read a codebase, make changes across files and run tests. That makes the sandbox more than a background feature: it is part of the security case for letting the tool act with fewer permission prompts. (anthropic.com) ### What did The Register say researchers found? The Register said on May 20 that two now-patched bypass bugs affected Claude Code’s network sandbox. It reported that one bug allowed attackers to send anything inside the sandbox to any server on the internet, and said unnamed researchers had described the flaw as “real and dangerous.” (anthropic.com) SecurityWeek reported the same day that Anthropic had silently patched a vulnerability that would have allowed an attacker to bypass the Claude Code network sandbox. (anthropic.com) Other security writeups, citing the same reporting trail, said Anthropic had not published a CVE or advisory for that specific bypass as of early May. ### Is Anthropic already issuing security advisories for Claude Code? GitHub’s advisory database shows Anthropic has published security advisories for Claude Code before. (theregister.com) One advisory, GHSA-vp62-r36r-9xqp, covers a separate sandbox escape in versions before 2.1.64 that allowed symlink-based writes outside the workspace and could lead to code execution outside the sandbox. The National Vulnerability Database lists that flaw as CVE-2026-39861. NVD says users on standard Claude Code auto-update received the fix automatically and advises manual updaters to move to version 2.1.64 or later. (securityweek.com) That matters because it shows Anthropic has used formal disclosure channels for at least one Claude Code sandbox issue. The Register’s report focused on a different bypass that, according to the article and follow-on security coverage, was patched without a comparable public notice. (github.com) ### Why does the missing advisory matter to users? Anthropic’s own product and engineering materials present Claude Code as a tool that can operate with broad access inside developer workflows. When a vendor says a sandbox blocks prompt-injected exfiltration, security teams may rely on that claim in deciding how much autonomy to allow. (nvd.nist.gov) The practical problem is version awareness. GitHub’s public releases page for Claude Code is active, but if a security fix is not called out in release notes or a security advisory, users who pin versions or review changes manually may not know a high-risk bug was corrected. (nvd.nist.gov) ### Where should readers look next? Anthropic’s public security advisories page for the Claude Code repository is the clearest place to watch for any formal notice tied to this bypass. The company’s GitHub releases page is the other public record that would show whether later versions mention the fix. (anthropic.com) As of May 21, the public record shows one disclosed Claude Code sandbox CVE, CVE-2026-39861, and reporting from The Register and SecurityWeek about a separate network-sandbox bypass that was patched but not publicly detailed in the same way. (github.com) (nvd.nist.gov) (github.com)