Anthropic silently patched Claude Code bypass

Anthropic patched another Claude Code security bypass after a researcher reported a flaw in the tool’s network sandbox, according to a May 21 Cybernews report. The report said Aonan Guan, head of cloud and AI security at Wyze Labs, disclosed the issue through HackerOne on April 3. Anthropic replied the next day that it had already identified and fixed the issue internally, Cybernews reported. The company had not issued a public advisory or CVE by May 21, according to the report. ### Which Claude Code protection was bypassed? Anthropic said in an October 20, 2025 engineering post that Claude Code’s sandboxing relies on two boundaries: filesystem isolation and network isolation. The company said network isolation is meant to ensure Claude can connect only to approved servers and to stop a prompt-injected agent from leaking sensitive information. (cybernews.com) Cybernews reported that Guan’s latest finding targeted that network sandbox. The article said the bypass exploited differences in how Claude Code’s sandbox and the operating system interpreted host names, allowing code inside the sandbox to connect to an attacker-controlled server. According to Cybernews, Guan said that could have exposed credentials, source code and internal data. (anthropic.com) ### How could an attacker have used it? Cybernews reported that Guan said the flaw became more dangerous when paired with prompt injection. The article quoted him as saying that a hidden instruction in a GitHub issue comment, README or documentation page read by Claude Code could be enough to make the tool run attacker-controlled code inside the sandbox. (cybernews.com) Anthropic’s own sandboxing post said prompt injection is a core risk for coding agents with access to files and commands. The company wrote that both filesystem and network isolation are needed because, without network isolation, a compromised agent could exfiltrate sensitive files such as SSH keys. ### Which versions were affected? (cybernews.com) Cybernews reported that the vulnerability affected every Claude Code release from version 2.0.24 through 2.1.89. The report said Anthropic told Guan in its April 4 response that the issue was a “duplicate of an internal finding,” indicating the company believed the patch had already been applied. (anthropic.com) Cybernews has reported other Claude Code security issues this year. On February 27, the outlet cited Check Point research on vulnerabilities that could let attackers execute code or redirect API requests after a user opened a malicious project, including one issue assigned CVE-2025-59536. On May 8, Cybernews reported that researchers at LayerX said they bypassed Anthropic’s initial fix for a separate flaw in the Claude browser extension within hours. (cybernews.com) ### Why is the disclosure process part of the story? Cybernews reported that this was the second sandbox flaw Guan had reported in six months and that both were fixed without public disclosure. The article said Guan asked Anthropic whether it planned to publish a CVE, and the company replied that it had “not yet decided” and could not provide a timeline. (cybernews.com) Anthropic has publicly discussed Claude Code quality issues before. In an April 23, 2026 post, the company described three changes it said had affected Claude Code quality and outlined corrective steps. That post addressed model behavior rather than security, but it showed Anthropic has used public engineering notes for other Claude Code incidents. (cybernews.com) ### What comes next for users and researchers? Anthropic’s last public answer on this flaw, as reported by Cybernews on May 21, was that it had not decided whether to issue a CVE. Claude Code remains a central Anthropic product: the company’s product page says the tool can read codebases, edit files, run tests and deliver committed code, while a February 20 announcement introduced Claude Code Security in limited research preview. (anthropic.com) (cybernews.com)