Which versions of Claude Code are affected by CVE-2026-35021?

CVE-2026-35021 is a command injection vulnerability in Anthropic's Claude Code CLI and Python SDK that allows local attackers to execute arbitrary commands by supplying malicious file paths.

Is there a public PoC exploit available for CVE-2026-35021?

Yes, a public proof-of-concept exploit is available for CVE-2026-35021. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-35021?

Within 24 hours: Inventory all systems running Claude Code CLI and Claude Agent SDK for Python; identify which versions are deployed and which development/CI teams use these tools. Within 7 days: Implement input validation to sanitize file paths before passing to Claude tools, restrict Claude CLI usage to trusted input sources only, and enforce principle of least privilege for service accounts running these tools in CI/CD. Within 30 days: Contact Anthropic for patch timeline; evaluate alternative tooling or architectural changes to isolate Claude tool execution in sandboxed environments pending vendor patch availability.

Claude Code CVE-2026-35021

Q: What is the CVSS score of CVE-2026-35021?

CVE-2026-35021 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-19440 HIGH

OS Command Injection (CWE-78)

2026-04-06 VulnCheck

GHSA-72p2-f44p-v65f

Command Injection Claude Code Claude Agent Sdk For Python

8.4

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.4 HIGH

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 29, 2026 - 19:07 vuln.today

cvss_changed

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

EUVD ID Assigned

Apr 06, 2026 - 19:30 euvd

EUVD-2026-19440

Analysis Generated

Apr 06, 2026 - 19:30 vuln.today

CVE Published

Apr 06, 2026 - 18:59 nvd

HIGH 8.4

DescriptionCVE.org

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the prompt editor invocation utility that allows attackers to execute arbitrary commands by crafting malicious file paths. Attackers can inject shell metacharacters such as $() or backtick expressions into file paths that are interpolated into shell commands executed via execSync. Although the file path is wrapped in double quotes, POSIX shell semantics (POSIX §2.2.3) do not prevent command substitution within double quotes, allowing injected expressions to be evaluated and resulting in arbitrary command execution with the privileges of the user running the CLI.

AnalysisAI

OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python enables arbitrary command execution via malicious file paths containing shell metacharacters. Local attackers can exploit POSIX shell command substitution within double-quoted strings to execute commands with user privileges. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious file path with shell metacharacters

Exploit

Invoke prompt editor with injected path

Execution

Shell interprets command substitution in quotes

Impact

Execute arbitrary commands with user privileges