<Vulnerability name="CVE-2026-55607">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-06-29T14:04:00</PublicDate>
    <Bugzilla id="2494422" url="https://bugzilla.redhat.com/show_bug.cgi?id=2494422" xml:lang="en:us">
Claude Code: @anthropic-ai/claude-code: Claude Code: Arbitrary code execution through git directory confusion
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.1</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-59</CWE>
    <Details xml:lang="en:us" source="Mitre">
Claude Code is an agentic coding tool.  From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Claude Code, an agentic coding tool, in its handling of worktrees. This vulnerability allowed the creation of specially named worktrees and navigation outside of the intended secure environment, leading to what is known as a 'git directory confusion attack'. By manipulating symbolic links and how git monitors file system changes, an attacker could overwrite important user files, potentially leading to unauthorized code execution on the user's system. This attack requires a user to interact with a malicious code repository.
    </Details>
    <Statement xml:lang="en:us">
This is an Important vulnerability in Claude Code, an agentic coding tool within OpenShift Lightspeed, stemming from a git directory confusion flaw. The vulnerability allows an attacker to overwrite user configuration files, leading to arbitrary code execution outside of sandbox restrictions. Exploitation requires a user to clone a malicious repository and then execute Claude Code against its contents.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:openshift_lightspeed">
        <ProductName>OpenShift Lightspeed</ProductName>
        <FixState>Affected</FixState>
        <PackageName>openshift-lightspeed/lightspeed-agentic-sandbox-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-55607
https://nvd.nist.gov/vuln/detail/CVE-2026-55607
https://github.com/anthropics/claude-code/security/advisories/GHSA-7835-87q9-rgvv
    </References>
</Vulnerability>