276/69 Thursday, May 21, 2026
Security researchers have disclosed that Anthropic has patched a vulnerability in Claude Code that could allow attackers to bypass network sandbox restrictions. The issue affected the mechanism responsible for controlling outbound network connections in Claude Code. Under normal conditions, all outbound traffic is forced through a local allowlist proxy, automatically blocking connections to unauthorized hosts. However, the vulnerability created a risk that communications could be redirected to unauthorized destinations and potentially abused in combination with prompt injection attacks to exfiltrate sensitive data.
According to the report, the vulnerability involved a SOCKS5 hostname null-byte injection flaw. The filtering mechanism could mistakenly permit hostnames ending with domains included in the allowlist, such as *.google.com. By inserting a \x00 null byte into the hostname, the system would truncate the string at the null byte position and establish a connection to an attacker-controlled host instead. Researchers stated that the vulnerability had existed since October 20, 2025, when the network sandbox feature became generally available. If combined with prompt injection techniques, the flaw could potentially be exploited to steal sensitive information such as environment variables, credentials, authentication tokens, and infrastructure-related data.
Anthropic stated that the company had already identified and fixed the issue before receiving the researchers’ report. The patch was recorded as a public commit in the sandbox-runtime repository on March 27, 2026, and was later included in Claude Code version 2.1.88 released on March 31, 2026. However, reports indicate that Anthropic did not assign a CVE identifier to the vulnerability and did not mention the issue in the official release notes. Users are therefore advised to update Claude Code to the latest version immediately and restrict AI agent access to sensitive data within development environments to reduce the risk of exploitation through prompt injection attacks.
Source https://www.securityweek.com/anthropic-silently-patches-claude-code-sandbox-bypass/