Skip to main content

Claude Code CVE-2026-35022

| EUVDEUVD-2026-19442 CRITICAL
OS Command Injection (CWE-78)
2026-04-06 VulnCheck GHSA-479q-mw77-pmr5
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 29, 2026 - 19:07 vuln.today
cvss_changed
PoC Detected
Apr 07, 2026 - 13:20 vuln.today
Public exploit code
EUVD ID Assigned
Apr 06, 2026 - 19:30 euvd
EUVD-2026-19442
Analysis Generated
Apr 06, 2026 - 19:30 vuln.today
CVE Published
Apr 06, 2026 - 18:59 nvd
CRITICAL 9.3

DescriptionCVE.org

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh to execute arbitrary commands with the privileges of the user or automation environment, enabling credential theft and environment variable exfiltration.

AnalysisAI

OS command injection in Anthropic Claude Code CLI and Agent SDK for Python allows remote, unauthenticated attackers to execute arbitrary commands through unsanitized authentication helper parameters processed with shell=true. The vulnerability enables credential theft and environment variable exfiltration in CI/CD pipelines where these tools run with elevated automation privileges. Publicly available exploit code exists, creating immediate risk for organizations using these SDKs in automated workflows.

Technical ContextAI

This vulnerability stems from CWE-78 (OS Command Injection) in the authentication helper execution logic of both the Claude Code CLI (cpe:2.3:a:anthropic:claude_code) and Claude Agent SDK for Python (cpe:2.3:a:anthropic:claude_agent_sdk_for_python). The affected components execute authentication helper commands using Python's subprocess module with shell=true parameter, directly interpolating user-controllable configuration values including apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh without input sanitization. When shell=true is enabled, shell metacharacters such as semicolons, pipes, backticks, and command substitution operators are interpreted by the underlying shell, allowing attackers to break out of the intended command context. This design flaw is particularly dangerous in authentication workflows where external helper programs are invoked to retrieve credentials, as these execution paths typically run with the full privileges of the calling process. The vulnerability is exploitable wherever authentication configuration can be influenced, including through environment variables, configuration files, or API parameters in automated environments.

RemediationAI

Organizations should immediately audit all deployments of Anthropic Claude Code CLI and Claude Agent SDK for Python, particularly in CI/CD pipelines and automated environments. Primary mitigation requires upgrading to patched versions once released by Anthropic; monitor the vendor advisory at https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-authentication-helper for patch availability. Until patches are deployed, implement these interim controls: disable or remove authentication helper functionality if not operationally required; restrict configuration file permissions to prevent unauthorized modification of helper parameters; implement strict input validation on any authentication configuration sources; use application-level allowlisting to restrict which helper programs can be executed; isolate Claude SDK execution in containerized environments with minimal credential access; rotate all credentials that may have been exposed in affected environments; and monitor process execution logs for suspicious shell metacharacter patterns in authentication helper invocations. For critical environments, consider temporarily suspending use of these tools until vendor patches are confirmed and applied.

CVE-2026-35020 HIGH POC
8.6 Apr 06

OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python allows local attackers to execute arbi

CVE-2026-35021 HIGH POC
8.4 Apr 06

OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python enables arbitrary command execution vi

CVE-2026-25725 CRITICAL
10.0 Feb 06

Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code

CVE-2025-66032 CRITICAL POC
9.8 Dec 03

Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and shor

CVE-2026-25722 CRITICAL
9.1 Feb 06

Claude Code prior to version 2.0.57 failed to properly validate MCP tool inputs, allowing malicious MCP servers to injec

CVE-2025-59536 HIGH POC
8.8 Oct 03

Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the sta

CVE-2026-24887 HIGH POC
8.8 Feb 03

Claude Code versions before 2.0.72 allow authenticated attackers to execute arbitrary commands by exploiting a command p

CVE-2026-55607 HIGH
7.7 Jun 29

Sandbox escape and code execution in Anthropic's Claude Code CLI (versions 2.1.38 through 2.1.162) lets a malicious repo

CVE-2026-39861 HIGH POC
7.7 Apr 21

Sandbox escape in Claude Code versions prior to 2.1.64 enables arbitrary file writes outside the workspace by exploiting

CVE-2025-59828 HIGH
7.7 Sep 24

Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no au

CVE-2026-21852 HIGH POC
7.5 Jan 21

Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious reposi

CVE-2026-24052 HIGH
7.4 Feb 03

Claude Code versions prior to 1.0.111 fail to properly validate trusted domains for WebFetch requests, allowing attacker

Share

CVE-2026-35022 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy