Anthropic's Claude Code, an AI programming tool, has been found to contain a significant security vulnerability in its network sandbox feature. Independent researcher Aonan Guan discovered an empty byte injection attack in the SOCKS5 protocol, allowing unauthorized access to restricted hosts. This flaw has been present since the sandbox's launch in October 2025, affecting all versions until a silent patch was applied on April 1, 2026. Despite the severity, Anthropic has not issued a security advisory or CVE, leaving users unaware of the risk. The vulnerability exploits a discrepancy in how JavaScript and C handle null bytes, enabling attackers to bypass domain restrictions. This issue, combined with a previously disclosed prompt injection attack, poses a significant threat to sensitive data security. Anthropic's handling of the situation, including a lack of transparency and communication, has drawn criticism from the security community, highlighting the need for robust disclosure practices and effective security measures.