Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh to execute arbitrary commands with the privileges of the user or automation environment, enabling credential theft and environment variable exfiltration.
AnalysisAI
OS command injection in Anthropic Claude Code CLI and Agent SDK for Python allows remote, unauthenticated attackers to execute arbitrary commands through unsanitized authentication helper parameters processed with shell=true. The vulnerability enables credential theft and environment variable exfiltration in CI/CD pipelines where these tools run with elevated automation privileges. Publicly available exploit code exists, creating immediate risk for organizations using these SDKs in automated workflows.
Technical ContextAI
This vulnerability stems from CWE-78 (OS Command Injection) in the authentication helper execution logic of both the Claude Code CLI (cpe:2.3:a:anthropic:claude_code) and Claude Agent SDK for Python (cpe:2.3:a:anthropic:claude_agent_sdk_for_python). The affected components execute authentication helper commands using Python's subprocess module with shell=true parameter, directly interpolating user-controllable configuration values including apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh without input sanitization. When shell=true is enabled, shell metacharacters such as semicolons, pipes, backticks, and command substitution operators are interpreted by the underlying shell, allowing attackers to break out of the intended command context. This design flaw is particularly dangerous in authentication workflows where external helper programs are invoked to retrieve credentials, as these execution paths typically run with the full privileges of the calling process. The vulnerability is exploitable wherever authentication configuration can be influenced, including through environment variables, configuration files, or API parameters in automated environments.
RemediationAI
Organizations should immediately audit all deployments of Anthropic Claude Code CLI and Claude Agent SDK for Python, particularly in CI/CD pipelines and automated environments. Primary mitigation requires upgrading to patched versions once released by Anthropic; monitor the vendor advisory at https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-authentication-helper for patch availability. Until patches are deployed, implement these interim controls: disable or remove authentication helper functionality if not operationally required; restrict configuration file permissions to prevent unauthorized modification of helper parameters; implement strict input validation on any authentication configuration sources; use application-level allowlisting to restrict which helper programs can be executed; isolate Claude SDK execution in containerized environments with minimal credential access; rotate all credentials that may have been exposed in affected environments; and monitor process execution logs for suspicious shell metacharacter patterns in authentication helper invocations. For critical environments, consider temporarily suspending use of these tools until vendor patches are confirmed and applied.
More in Claude Code
View allOS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python allows local attackers to execute arbi
OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python enables arbitrary command execution vi
Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code
Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and shor
Claude Code prior to version 2.0.57 failed to properly validate MCP tool inputs, allowing malicious MCP servers to injec
Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the sta
Claude Code versions before 2.0.72 allow authenticated attackers to execute arbitrary commands by exploiting a command p
Sandbox escape and code execution in Anthropic's Claude Code CLI (versions 2.1.38 through 2.1.162) lets a malicious repo
Sandbox escape in Claude Code versions prior to 2.1.64 enables arbitrary file writes outside the workspace by exploiting
Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no au
Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious reposi
Claude Code versions prior to 1.0.111 fail to properly validate trusted domains for WebFetch requests, allowing attacker
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19442
GHSA-479q-mw77-pmr5