CVE-2026-35021
OS Command Injection in Anthropic Claude CLI and SDK
Publication date: 2026-04-06
Last updated on: 2026-04-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anthropic | claude_code | to 2.1.91 (inc) |
| anthropic | claude_agent_sdk | to 0.1.55 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35021 is an OS command injection vulnerability found in Anthropic Claude Code CLI and Claude Agent SDK. It occurs in the prompt editor invocation utility where maliciously crafted file paths containing shell metacharacters like $() or backtick expressions can be injected. These file paths are interpolated into shell commands executed via execSync. Although the file paths are wrapped in double quotes, POSIX shell semantics allow command substitution within double quotes, enabling attackers to execute arbitrary commands with the privileges of the user running the CLI.
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary OS commands on the system with the same privileges as the user running the CLI. This can lead to unauthorized actions such as credential exfiltration, local file creation, and network-accessible data leakage. Attackers can exploit this through crafted file paths or environment variables, potentially compromising developer workstations, CI/CD pipelines, and automation environments. The vulnerability poses a critical risk especially in CI/CD contexts where security dialogs are bypassed, enabling persistent malicious code execution and credential theft.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Anthropic Claude Code CLI or Claude Agent SDK versions in use are vulnerable, specifically versions up to 2.1.91 for the CLI and up to 0.1.55 for the SDK.
Since the vulnerability arises from OS command injection via crafted file paths containing shell metacharacters such as $() or backticks, one detection approach is to test the prompt editor invocation utility by attempting to open files with specially crafted names that include these characters and observing if arbitrary commands execute.
Commands to detect exploitation attempts or presence of the vulnerability could include searching for suspicious file names or processes spawned by the CLI, for example:
- Use shell commands to find files with suspicious characters in project directories: `find . -name '*$()*' -o -name '*`*'`
- Monitor running processes for unexpected commands spawned by the CLI: `ps aux | grep claude` and check for unusual child processes.
- Check environment variables for injected payloads, especially those related to terminal or editor settings.
However, no explicit detection commands or tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Avoid using vulnerable versions of Anthropic Claude Code CLI (up to 2.1.91) and Claude Agent SDK (up to 0.1.55). Upgrade to patched versions once available.
- Do not allow untrusted or attacker-controlled input to influence file paths or environment variables used by the CLI, especially those that are interpolated into shell commands.
- Avoid running the CLI in non-interactive or automated CI/CD environments without strict input validation and workspace trust checks, as these modes skip security dialogs and increase risk.
- Implement strict input sanitization to prevent shell metacharacters such as $() or backticks in file paths or environment variables.
- Restrict permissions of the user running the CLI to limit the impact of potential arbitrary command execution.
- Apply sandboxing and permission checks to all execution paths, including authentication helpers and editor invocation utilities.
These steps align with recommendations to eliminate shell-evaluated string interpolation, enforce input validation, and restore trust boundaries in non-interactive modes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-35021 enables attackers to execute arbitrary OS commands and exfiltrate credentials by exploiting command injection vulnerabilities in Anthropic Claude Code CLI and SDK. This can lead to unauthorized access to sensitive data and systems.
Such unauthorized access and credential exfiltration pose significant risks to compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and sensitive information against unauthorized disclosure and breaches.
The vulnerability's ability to bypass security controls in CI/CD environments and automation contexts increases the risk of data leakage and persistent compromise, further impacting regulatory compliance obligations related to data integrity, confidentiality, and auditability.