CVE-2026-35022
OS Command Injection in Anthropic Claude CLI and SDK Enables Credential Theft
Publication date: 2026-04-06
Last updated on: 2026-04-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anthropic | claude_code | to 2.1.91 (inc) |
| anthropic | claude_agent_sdk | to 0.1.55 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35022 is a critical OS command injection vulnerability affecting Anthropic Claude Code CLI and Claude Agent SDK. It occurs because authentication helper configuration values are executed with shell=true without proper input validation.
Attackers who can influence authentication settings, such as parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh, can inject shell metacharacters to execute arbitrary OS commands.
This allows attackers to run commands with the privileges of the user or automation environment, potentially leading to credential theft and exfiltration of environment variables.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized execution of arbitrary commands on your system with the privileges of the user or automation environment.
- Credential theft
- Exfiltration of environment variables
- Potential compromise of system confidentiality, integrity, and availability
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your environment is running vulnerable versions of Anthropic Claude Code CLI (up to 2.1.91) or Claude Agent SDK for Python (up to 0.1.55).
You can inspect the configuration parameters related to authentication helpers such as apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh for suspicious shell metacharacters or unexpected command injections.
Since the vulnerability involves execution with shell=true, monitoring for unusual command executions or environment variable exfiltration attempts in logs or process activity may help detect exploitation.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Anthropic Claude Code CLI to a version later than 2.1.91 and Claude Agent SDK for Python to a version later than 0.1.55 where the vulnerability is fixed.
Avoid using or exposing authentication helper configuration parameters (apiKeyHelper, awsAuthRefresh, awsCredentialExport, gcpAuthRefresh) to untrusted input sources to prevent injection of shell metacharacters.
Implement monitoring and restrict privileges of users or automation environments running these tools to limit the impact of potential exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to execute arbitrary OS commands with the privileges of the user or automation environment, potentially leading to credential theft and exfiltration of environment variables.
Such unauthorized access and data exfiltration can compromise the confidentiality and integrity of sensitive information, which may result in non-compliance with data protection regulations and standards like GDPR and HIPAA that require safeguarding personal and sensitive data.