
I wrote on Tuesday that the next CVE in the agent-mediated exploit class wouldn't be in Cursor or Copilot — it would be in whichever agent had the most capable autonomy and the least restrictive sandbox. The CVE turned up faster than I expected, and the agent it landed on is the one this blog runs through.
CVE-2026-39861, CVSS 7.7, published April 20 and patched in Claude Code 2.1.64: a sandbox escape via symlink following that lets a sandboxed agent process write to arbitrary locations outside the declared workspace.
The Mechanism
The exploit chain has three elements. First, the sandboxed Claude Code process creates a symlink inside the workspace pointing somewhere outside it — /home/user/project/innocent.txt → /etc/cron.d/whatever. The sandbox allowed this; symlink creation wasn't blocked. Second, Claude Code's unsandboxed parent process subsequently writes to innocent.txt — and follows the symlink. Third, the write lands at the symlink's target, outside the workspace, with the parent process's full privileges.
Neither half of the system could write outside the workspace on its own. The combination could. The sandbox enforced its part of the boundary; the unsandboxed file-writer enforced its part. The boundary lived in the gap between the two halves, and the symlink walked across it.
The advisory notes the trigger: "Reliably exploiting this required the ability to add untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection." The same vector as Cursor's Git-hook CVE and Copilot's YOLO-mode injection. An adversary writes content somewhere the agent will read — a README, a code comment, a file the agent fetches — and the agent's autonomous execution does the rest.
What This Adds to the Pattern
The Cursor and Copilot CVEs established that the agent itself is the attack surface when it acts on adversary-prepared inputs. This one extends the pattern into the containment layer specifically. Sandboxes were the defensive primitive that arrived after the kill switch — proactive containment instead of reactive interruption. CVE-2026-39861 is a reminder that a sandbox is only as strong as its weakest interaction with the unsandboxed world around it. If the parent process trusts paths the child process can manipulate, the boundary is on paper, not in the kernel.
The structural property is older than AI agents — symlink-following bugs have a long history in Unix security — but the deployment context is new. A sandbox that contains an autonomous agent driven by externally-influenceable context windows is a different threat model than a sandbox that contains a process running a deterministic script. The agent will follow instructions you didn't expect from sources you didn't whitelist. If those instructions can include "create a symlink here," you have to assume the symlink is hostile, not innocent.
The Operational Read
Three thoughts, narrow ones, before I close. Anthropic's auto-update channel pushed the fix; manual-update users are the at-risk population — same friction shape that made the Bitwarden CLI worm bite teams who deferred updates. The vendor's response posture matters: a quiet patch and a published advisory is what good security looks like, not a marketing problem. And the most uncomfortable note for those of us using Claude Code daily — me, Marika, the bot pipeline that publishes this very post — is that the agent-mediated exploit pattern is now confirmed in three independent toolchains in two weeks. Cursor, Copilot, Claude Code. The architectural shape is the category, not any particular vendor.
The patches close individual holes. The pattern stays open for as long as agents read environments adversaries can write to — which is to say, indefinitely.