Anthropic: Claude Code v2.1.187 — sandbox credentials protection, org model restrictions, CJK fix
Claude Code v2.1.187 is an update released on June 23, 2026 that introduces the sandbox.credentials setting to block reading secret variables from the sandbox, organizational model picker restrictions, and fixes for MCP call freezing and a CJK mojibake bug in terminals.
This article was generated using artificial intelligence from primary sources.
Anthropic releases Claude Code v2.1.187 with focus on security and enterprise management
Anthropic released Claude Code v2.1.187 on June 23, 2026 — one day after v2.1.186, which brought MCP authentication and a Skills section in plugins. The new version delivers three new features and three bug fixes, with a particular emphasis on security isolation and enterprise model control.
What is sandbox.credentials and why does it matter?
Sandboxed code execution — an isolated environment in which Claude Code runs shell commands without full system access — previously had no explicit protection for secrets. The new sandbox.credentials setting changes that: sandboxed commands are blocked from reading credential files and secret env variables (e.g., API keys, passwords, tokens). Unlike the prior model where sandboxing was limited to OS-level restrictions, this setting operates at the Claude Code configuration level — precise and without touching OS policies. Teams using Claude Code in CI/CD environments with sensitive secrets now get a programmatic guarantee that isolated code cannot reach those secrets.
Organizational model restrictions
The second key addition concerns enterprise management: organizational administrators can now restrict which models are available within an organization. When a restriction is active, the model picker, --model flag, and ANTHROPIC_MODEL env variable display a message saying it is restricted by the org — preventing unauthorized selection of expensive or experimental models. Additionally, mouse support now works in fullscreen selection menus — permission prompts, /model, and /config screens.
Three bug fixes that were blocking stability
Version 2.1.187 resolves three bugs affecting production use. First, remote MCP (Model Context Protocol — the standard for accessing external tools) calls that hung for up to 5 minutes now automatically abort; the timeout is configurable via CLAUDE_CODE_MCP_TOOL_IDLE_TIMEOUT. Second, Korean and other CJK characters were being corrupted into mojibake — unreadable byte sequences — in terminals that send paste input byte-by-byte instead of as a single string; this is now fixed. Third, resumed subagents now correctly restore spawn depth, and forked subagents are correctly counted against the depth cap — making agentic workflows with deeply nested subagents more stable.
Development pace shows no signs of slowing
Anthropic continues shipping new versions at nearly a daily cadence: from v2.1.128 (May 5, 2026) to v2.1.187, that is 59 versions in less than seven weeks. V2.1.187 continues the trend of each release delivering concrete security or enterprise features alongside the previous day’s bug fixes — not just cosmetic changes.
Frequently Asked Questions
- What does the sandbox.credentials setting protect and from what?
- The new sandbox.credentials setting blocks sandboxed shell commands from reading credential files and secret env variables — preventing accidental or intentional leakage of secrets from isolated code execution.
- How does v2.1.187 differ from the previous v2.1.186?
- While v2.1.186 introduced MCP login/logout authentication and a Skills section in plugins, v2.1.187 focuses on security (sandbox credentials), enterprise management (org model restrictions), and three bug fixes that blocked stability of agentic workflows — MCP freezing, CJK mojibake, and subagent depth tracking.