Claude Code CLI OS command injection (CVE-2026-35022)
CVE-2026-35022
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without ...
Overview
A critical OS command injection vulnerability, tracked as CVE-2026-35022, has been identified in the Anthropic Claude Code CLI and the Claude Agent SDK. The flaw resides in how these tools execute authentication helper scripts, allowing attackers to inject and run arbitrary operating system commands.
Vulnerability Details
The vulnerability exists because certain configuration parameters-specifically apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh-are passed to a shell command without proper validation or sanitization. When these parameters are controlled by an attacker, they can inject shell metacharacters (like ;, &, |, or backticks) to break out of the intended command and execute malicious instructions. This occurs due to the use of shell=true in the underlying code execution function.
Impact and Severity
Rated CRITICAL with a CVSS score of 9.8, this vulnerability has severe implications. An attacker who can influence authentication settings can execute arbitrary commands with the same privileges as the user running the Claude CLI or automation environment. Successful exploitation could lead to:
- Theft of cloud credentials (AWS, GCP) and API keys.
- Exfiltration of sensitive environment variables.
- Full compromise of the underlying host system.
- Lateral movement within a network.
The attack vector is NETWORK, requires no privileges or user interaction, and is of LOW complexity, making it highly exploitable.
Remediation and Mitigation
The primary remediation is to apply the official patches released by Anthropic for the affected software. Users should immediately update their Claude Code CLI and Claude Agent SDK to the latest patched versions.
If immediate patching is not possible, consider these mitigations:
- Restrict Access: Ensure that configuration files and environment variables controlling authentication helpers are not writable by untrusted users or processes.
- Audit Settings: Review all instances where the Claude CLI or SDK is used in automation. Check for any unusual or unexpected values in the vulnerable configuration parameters.
- Principle of Least Privilege: Run these tools under a dedicated service account with the minimum necessary permissions, limiting the potential impact of command execution.
Security Insight
This vulnerability highlights the persistent risk of command injection in developer tooling and AI agent frameworks, where convenience features like shell execution are often prioritized over security. Similar to the LangChain and LangGraph flaws that exposed secrets, it underscores how the rapid integration of AI capabilities into development workflows can introduce classic, high-severity vulnerabilities if secure coding practices are not rigorously enforced from the start.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code ...
PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_pro...
node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. T...
Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network....