Anthropic Silently Patched Claude Code Sandbox Bypass; Second Bypass in Five Months, No CVE Issued

Security researcher Aonan Guan disclosed on May 20, 2026, that Anthropic Claude Code's network sandbox was vulnerable to a SOCKS5 hostname null-byte injection from October 20, 2025 (sandbox GA) through April 1, 2026 (v2.1.90). The vulnerability allowed an attacker to bypass wildcard allowlist filters (e.g., `*.google.com`) by injecting a null byte into a hostname: `attacker-host.com\x00.google.com`. The filter saw the trailing `.google.com` and approved the connection, but the OS resolver truncated at the null byte and dialed `attacker-host.com`. This is the second Claude Code sandbox bypass in five months; the first (CVE-2025-66479, reported by Guan in December 2025) involved the sandbox interpreting `allowedDomains: []` as 'allow everything' rather than 'block all.' Anthropic patched the null-byte injection in v2.1.90 on April 1, 2026, but did not issue a CVE for Claude Code, did not mention the fix in release notes, and marked Guan's HackerOne report as a duplicate of an internal finding. Anthropic stated it identified and fixed the issue before receiving Guan's report.

An attacker who can influence code executed inside the Claude Code sandbox (e.g., via prompt injection such as the Comment and Control technique Guan previously disclosed) can craft a SOCKS5 hostname with a null byte to bypass the user's configured network allowlist. This enables data exfiltration from any resource the sandbox can access: credentials, source code, environment variables, cloud metadata, internal APIs, and GitHub tokens. The bypass is particularly dangerous when combined with prompt injection, where an attacker hides instructions in a GitHub issue comment, pull request title, or repository README that Claude Code reads, causing the agent to execute attacker-controlled code. The null-byte injection then allows that code to send data to any internet host, even when the user has restricted egress to a strict allowlist.

Any deployment of Claude Code from v2.0.24 (October 20, 2025, sandbox GA) through v2.1.89 (March 31, 2026) that relied on the network sandbox with a wildcard allowlist. Users who ran Claude Code with a wildcard allowlist on a credential-bearing system during this window should treat the period as a potential exfiltration event. The vulnerability affects macOS and Linux deployments. Organizations using Claude Code for development on systems with access to production credentials, cloud infrastructure, or internal networks should audit logs and access patterns for the affected period.

Upgrade to Claude Code v2.1.90 or later (released April 1, 2026). Review network and authentication logs for the period October 20, 2025 - April 1, 2026 for anomalous outbound connections from systems running Claude Code. Rotate credentials and tokens that were accessible to Claude Code during the vulnerable window. Implement least-privilege service accounts for any AI agent with network access. For organizations using AI coding agents in production, treat agent execution environments as untrusted and enforce authorization at API gateways, not just at the agent's local sandbox. Consider network-layer monitoring (egress filtering, DNS logging) as a secondary control independent of agent-provided sandboxes.