Skip to main content

Claude HUD CVE-2026-47092

| EUVDEUVD-2026-30802 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-05-18 VulnCheck GHSA-p5qq-v9mc-39ff
7.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 18, 2026 - 20:30 vuln.today
Analysis Generated
May 18, 2026 - 20:30 vuln.today
CVSS changed
May 18, 2026 - 20:22 NVD
7.8 (HIGH) 7.3 (HIGH)

DescriptionCVE.org

Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. Attackers can set COMSPEC to an arbitrary binary path before claude-hud performs its version check, causing execFile() to execute the attacker-supplied executable with cmd.exe arguments, resulting in arbitrary code execution on Windows systems.

AnalysisAI

Local privilege code execution in jarrodwatts/claude-hud through version 0.0.12 on Windows allows authenticated local users to run arbitrary executables by setting the COMSPEC environment variable before the tool's version check, where execFile() launches whatever binary COMSPEC points to with cmd.exe-style arguments. The flaw is tracked as CWE-427 (Uncontrolled Search Path Element) and was reported by VulnCheck; no public exploit identified at time of analysis, but the upstream commit 234d9aa makes the fix mechanics straightforward to reverse-engineer.

Technical ContextAI

claude-hud is a Node.js-based status/HUD utility (cpe:2.3:a:jarrodwatts:claude-hud) that shells out to cmd.exe on Windows to perform a version check. It uses Node's child_process.execFile() but resolves the interpreter via the COMSPEC environment variable rather than a hardened absolute path, which maps directly to CWE-427: the program trusts an externally controllable search/path element to locate a critical binary. Because execFile() does not invoke a shell, the issue is not classic shell metacharacter injection but rather a binary-substitution flaw - whatever path COMSPEC names is executed verbatim, with cmd.exe's argument list appended.

RemediationAI

Upgrade claude-hud to the release containing upstream fix commit 234d9aad919b51326a43bcf90b45ae35c23afc30 (merged via PR #487); the project notes versions after 0.0.12 are patched, and an exact released tag should be confirmed against the repository releases page before rollout. If immediate upgrade is not possible, compensating controls on Windows are to unset or hardcode COMSPEC to %SystemRoot%\System32\cmd.exe in any shell or service that launches claude-hud, restrict who can modify environment variables for that process (avoid running claude-hud from contexts where lower-privileged users can influence the environment block), and avoid invoking claude-hud from elevated or service accounts until patched - the trade-off is that altering COMSPEC globally can break legitimate scripts that expect a customized command processor.

Share

CVE-2026-47092 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy