Critical Sandbox Bypass in Claude Code Exposes User Data

Critical Sandbox Bypass in Claude Code Exposes User Data

First seen 20 May 2026, 21:13 UTC LetsdatascienceTheregisteroddguan.comCybersecuritynewsGbhackers+1 76% similarity 71.0

Article Content

Browse articles
ThreatCluster

Anthropic's Claude Code AI platform has been found to have a critical network sandbox bypass vulnerability, allowing attackers to exfiltrate sensitive data, including user credentials and source code. Discovered by researcher Aonan Guan, this flaw is the second complete bypass identified within six months. The attack method involves a SOCKS5 hostname null-byte injection that tricks the sandbox's allowlist filter. This vulnerability existed for over five months without a public advisory or CVE for the main product, only affecting the underlying sandbox-runtime library. The first bypass was documented as CVE-2025-66479, published on December 4, 2025. Users who configured the sandbox with wildcard allowlists were particularly at risk, as the sandbox failed to enforce network restrictions as documented. The issue has raised significant concerns about the reliability of the sandboxing mechanism in AI-assisted coding tools.

Key Points: • Claude Code's sandbox bypass allows exfiltration of sensitive user data. • The vulnerability was active for over five months without a public advisory. • A second bypass was discovered, raising concerns about the security of AI coding tools.

ThreatCluster AI

Timeline

2025-12-02
CVE-2025-66479 published
A critical flaw in the sandbox-runtime library was documented, allowing unrestricted network access.
Article 2
2025-12-17
CVE-2025-68143 published
Another vulnerability was published, further highlighting security issues in the platform.
Date unknown
2026-04-01
Claude Code v2.1.90 released
A patch was released addressing the sandbox bypass vulnerabilities identified by researchers.
Article 1
2026-05-20
Researcher discloses second bypass
Aonan Guan publicly disclosed a second complete sandbox bypass, emphasizing the lack of advisories from Anthropic.
Article 3
2026-05-21
Public awareness raised
Multiple news outlets report on the vulnerabilities, highlighting the risks to users of Claude Code.
Article 5

Community

Browse all →