Executive Summary

CVE-2026-31975 is a critical vulnerability in Cloud CLI (aka Claude Code UI) versions prior to 1.25.0 that allows unauthenticated remote code execution via WebSocket shell injection.

The vulnerability arises because user inputs such as projectPath, initialCommand, and sessionId are taken directly from WebSocket message payloads and interpolated into bash command strings without any sanitization, enabling arbitrary OS command execution.

Additionally, the server uses an insecure default JWT secret that is publicly known, allowing attackers to forge valid JWT tokens and bypass WebSocket authentication, since the authentication function does not verify if the userId in the token exists in the database.

This combination of insecure default configuration, improper authentication, and unsafe command execution leads to critical remote code execution risks on affected instances.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including:

• Full OS command execution as the server user, allowing attackers to run arbitrary commands on the host.
• Unauthorized access to the file system, including reading sensitive files such as SSH keys and environment variables.
• Credential theft and potential lateral movement within the host network.
• Exploitation requires no authentication and can be performed immediately after default installation.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring WebSocket connections to the /shell endpoint for suspicious payloads containing unsanitized commands. Since the exploit involves sending specially crafted JSON messages with malicious shell commands in the initialCommand or projectPath fields, inspecting WebSocket traffic for such patterns is key.'}, {'type': 'paragraph', 'content': "Additionally, checking for usage of the default JWT secret 'claude-ui-dev-secret-change-in-production' can indicate vulnerable deployments."}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts or presence of the vulnerability include:'}, {'type': 'list_item', 'content': 'Using network packet capture tools (e.g., tcpdump or Wireshark) to filter WebSocket traffic on port 80/443 and inspect payloads for suspicious commands.'}, {'type': 'list_item', 'content': "Searching server logs for WebSocket connections to /shell with unusual commands, e.g., grep 'id && cat /etc/passwd' or other shell injection patterns."}, {'type': 'list_item', 'content': 'Checking environment variables or configuration files for the default JWT secret string.'}, {'type': 'list_item', 'content': "Example command to search logs for suspicious commands: grep -rE '(id && cat /etc/passwd|rm -rf|nc -e)' /var/log/claudecodeui/"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the affected software to version 1.25.0 or later, where the vulnerability is fixed.

Other critical mitigation actions are:

• Remove the insecure default JWT secret and explicitly set a strong, unique JWT_SECRET environment variable.
• Ensure WebSocket authentication verifies that the userId in the JWT token exists in the database before granting access.
• Prevent OS command injection by validating and sanitizing inputs such as projectPath, initialCommand, and sessionId before using them in shell commands.
• Restrict CORS settings to trusted origins instead of allowing all origins.
• Limit access to the /api/auth/register endpoint, ideally restricting it to localhost during initial setup.
• Add expiration to JWT tokens to reduce the risk of token misuse.

Useful 0 Not Useful 0