Anthropic patches Claude Code sandbox bypass

1/ Anthropic has patched a Claude Code vulnerability that let code running inside its sandbox bypass network restrictions and reach destinations outside the intended boundary. SecurityWeek reported the fix on May 21. (securityweek.com) 2/ Claude Code’s sandbox is supposed to do two things at once: limit filesystem access and limit network access. Anthropic’s docs say the bash tool uses OS-level controls plus a proxy-based network filter to enforce those boundaries. (code.claude.com) 3/ That matters because Anthropic has explicitly framed sandboxing as protection against prompt injection. In its October 2025 engineering post, the company said network isolation helps stop a compromised agent from leaking sensitive information or downloading malware. (anthropic.com) 4/ The reported flaw hit that network-isolation layer. SecurityWeek said the bug could allow attackers to bypass Claude Code’s network sandbox, and The Register reported that one of two patched bugs could let data inside the sandbox be sent to any server on the internet. (securityweek.com) 5/ Aonan Guan, identified by The Register as Wyze Labs’ head of cloud and AI security, said the issue could expose credentials, source code and other private data if chained with attacker-controlled instructions. That is the key risk path: not just “sandbox bug,” but “sandbox bug plus prompt injection.” (theregister.com) 6/ The public record suggests Anthropic fixed the issue in product updates rather than through a prominent advisory. SecurityWeek said the patch came without broad public disclosure of exploit details or timing, and current Claude Code release notes visible on GitHub do not flag this specific sandbox bypass by name. (securityweek.com) 7/ There is also a versioning trail. Third-party reports citing Anthropic’s public repositories say a relevant sandbox-runtime commit landed on March 27, 2026 and reached Claude Code v2.1.88 on March 31, 2026, though Anthropic did not publish a CVE-backed advisory in the sources reviewed here. That timing is based on outside reporting, not a direct Anthropic incident post. (thaicert.or.th) 8/ Anthropic’s own documentation already contains the broader lesson. The sandboxing docs warn that “effective sandboxing requires both filesystem and network isolation” and say misconfiguration can create bypasses. In other words, the company had documented the failure mode category even before this disclosure. (code.claude.com) 9/ The security takeaway for users of AI coding tools is narrow but concrete: treat built-in sandboxes as one control, not the whole control plane. If an agent can read code, touch secrets, run shell commands, or access networked resources, teams still need egress restrictions, credential scoping, and review around prompt-injection exposure. Anthropic’s docs and the sandbox-runtime repo both describe the sandbox as a security layer, not a complete containment system. (code.claude.com) 10/ The next place to watch is Anthropic’s Claude Code changelog and sandboxing documentation. As of May 21, 2026, the changelog was at v2.1.146, and the docs still describe sandboxing as a core safety feature for more autonomous agent execution. (code.claude.com)