CVE-2026-35020
OS Command Injection in Anthropic Claude CLI and SDK
Publication date: 2026-04-06
Last updated on: 2026-04-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anthropic | claude_code | to 2.1.91 (inc) |
| anthropic | claude_agent_sdk | to 0.1.55 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the OS command injection vulnerability in Anthropic Claude Code CLI and Claude Agent SDK impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-35020 is an OS command injection vulnerability found in Anthropic Claude Code CLI and Claude Agent SDK. It occurs because the software improperly handles the TERMINAL environment variable, allowing local attackers to inject shell metacharacters. These injected characters are interpreted by the shell (/bin/sh) when the software constructs and executes commands, enabling attackers to run arbitrary commands with the privileges of the user running the CLI.
This vulnerability can be triggered during normal CLI execution or through the deep-link terminal launcher, making it possible for an attacker with local access to exploit it.
How can this vulnerability impact me? :
This vulnerability allows an attacker with local access to execute arbitrary commands on the affected system with the same privileges as the user running the Anthropic Claude Code CLI or Claude Agent SDK. This can lead to unauthorized actions such as data theft, system modification, installation of malware, or complete system compromise.
Because the attacker can execute commands with user-level privileges, the impact depends on the permissions of that user but can be severe, including loss of confidentiality, integrity, and availability of the system and data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the Anthropic Claude Code CLI or Claude Agent SDK versions are up to 2.1.91 and 0.1.55 respectively, as these versions are affected.
Since the vulnerability is triggered by manipulation of the TERMINAL environment variable leading to OS command injection, you can inspect environment variables and monitor for suspicious or unexpected shell metacharacters in TERMINAL.
Commands to help detect potential exploitation or presence of the vulnerability include:
- Check the installed version of the Anthropic Claude Code CLI: `claude-code-cli --version` or similar.
- Check the installed version of the Claude Agent SDK for Python: `pip show claude-agent-sdk` or `pip list | grep claude-agent-sdk`.
- Inspect the TERMINAL environment variable for suspicious content: `echo $TERMINAL`.
- Monitor running processes or command executions that involve the CLI or SDK for unusual shell metacharacters or commands.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the affected software to versions beyond those vulnerable (above 2.1.91 for Anthropic Claude Code CLI and above 0.1.55 for Claude Agent SDK).
Avoid running the CLI or SDK with untrusted or manipulated TERMINAL environment variables to prevent injection of shell metacharacters.
Restrict local user access to trusted users only, since the vulnerability requires local attacker privileges.
Monitor and sanitize environment variables in scripts or automation that invoke the CLI or SDK to ensure TERMINAL is not set to malicious values.