Skip to main content

Python CVE-2026-45136

| EUVDEUVD-2026-32664 HIGH
OS Command Injection (CWE-78)
2026-05-13 https://github.com/cnighswonger/claude-code-cache-fix GHSA-g3xq-3gmv-qq8g
8.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
May 27, 2026 - 21:29 vuln.today
v3 (cvss_changed)
Analysis Updated
May 27, 2026 - 21:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 27, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
May 27, 2026 - 21:22 NVD
8.6 (HIGH)
Source Code Evidence Fetched
May 13, 2026 - 16:32 vuln.today
Analysis Generated
May 13, 2026 - 16:32 vuln.today
CVE Published
May 13, 2026 - 15:31 nvd
HIGH

DescriptionGitHub Advisory

Summary

tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process.

Affected versions

  • v3.5.0
  • v3.5.1

Patched versions

  • v3.5.2

Affected configurations

Users who wired tools/quota-statusline.sh into Claude Code's statusLine configuration. The v3.5.0 README explicitly recommends this setup, so most users on v3.5.0/v3.5.1 with the recommended setup are affected.

Attack chain

Claude Code's statusline hook payload reflects user-controlled paths (cwd, workspace.current_dir, workspace.project_dir, transcript_path). Apostrophes are legal in POSIX filesystem paths.

  1. A hostile directory name containing '''+payload+''' lands on disk via any normal vector - git clone, archive extraction, npm package, downloaded zip, etc.
  2. The victim has the recommended tools/quota-statusline.sh wired into their CC statusLine config.
  3. The victim cds anywhere a hostile path is reachable.
  4. CC fires the statusline hook on every redraw. The Python literal closes early. The injected bytes execute as Python in the user's process.

Severity

Local code execution at user privilege. Persistent re-fire on every statusline redraw. No user interaction beyond cd-ing into the hostile path. The user's shell, CC session, files, SSH keys, and any locally-accessible credentials are reachable from the executed code.

Vulnerable pattern

sh
input=$(cat)
result=$(python3 -c "
    stdin_data = json.loads('''$input''') if '''$input''' else {}
")

Fix

Capture stdin in bash, export to env, and pipe the Python source through a single-quoted heredoc (<<'PYEOF'). Single-quoting disables ALL bash interpolation inside the body. Python reads the JSON via os.environ.get('CC_INPUT'), where the bytes are inert at every layer.

sh
CC_INPUT=$(cat)
export CC_INPUT

python3 <<'PYEOF' 2>/dev/null
import os, json
try:
    cc_input = json.loads(os.environ.get('CC_INPUT') or '{}')
except Exception:
    cc_input = {}
# ...
PYEOF

Workarounds

Until upgrading to v3.5.2:

  • Disable the statusline by removing the statusLine entry from ~/.claude/settings.json, or
  • Replace tools/quota-statusline.sh with a script that does NOT pass stdin through python3 -c "..." (a heredoc + env var rewrite is safe)

Credit

Reported by Jakob Linke (@schuay) via GitHub issue #108.

Timeline

  • 2026-05-07 - reported (#108)
  • 2026-05-07 - confirmed, fix implemented (#110)
  • 2026-05-07 - v3.5.2 published

AnalysisAI

Local code execution in the claude-code-cache-fix npm package (v3.5.0 and v3.5.1) lets attacker-controlled filesystem path names run arbitrary Python inside a victim's Claude Code process. The bundled tools/quota-statusline.sh interpolates Claude Code's statusline hook stdin — which reflects user-controlled paths such as cwd, workspace.current_dir, workspace.project_dir, and transcript_path — directly into a Python triple-quoted literal, so a directory name containing the byte sequence ''' closes the literal early and executes following bytes as Python at the user's privilege on every statusline redraw. A working injection payload is publicly available exploit code (published in the GHSA advisory and the T6/T7 regression tests); the issue is not listed in CISA KEV and no EPSS score was provided.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-45136 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy