Cyber Posture

CVE-2026-31975

CriticalPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0061 69.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.25.0, OS Command Injection via WebSocket Shell. Both projectPath and initialCommand in server/index.js are taken directly from the…

more

WebSocket message payload and interpolated into a bash command string without any sanitization, enabling arbitrary OS command execution. A secondary injection vector exists via unsanitized sessionId. This vulnerability is fixed in 1.25.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires input validation and sanitization of WebSocket payloads like projectPath, initialCommand, and sessionId before bash command interpolation, preventing OS command injection.

SI-2 Flaw Remediation good match
prevent

Ensures timely identification, reporting, and patching of the command injection flaw to version 1.25.0, remediating the vulnerability.

SI-9 Information Input Restrictions partial match
prevent

Restricts WebSocket message inputs to authorized types, formats, and content, limiting opportunities for malicious command payloads.

Security SummaryAI

CVE-2026-31975 is an OS command injection vulnerability (CWE-78) affecting Cloud CLI, also known as Claude Code UI, a desktop and mobile user interface for tools including Claude Code, Cursor CLI, Codex, and Gemini-CLI. In versions prior to 1.25.0, the server/index.js component directly interpolates unsanitized user inputs—specifically projectPath and initialCommand from WebSocket message payloads—into bash command strings, enabling arbitrary OS command execution. A secondary injection vector exists through the unsanitized sessionId. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

The vulnerability can be exploited remotely by unauthenticated attackers with network access to the affected application, requiring low complexity and no user interaction. By crafting malicious WebSocket messages, attackers can inject and execute arbitrary operating system commands on the host running the Cloud CLI server, potentially leading to full system compromise with high confidentiality, integrity, and availability impacts.

Mitigation is available in version 1.25.0, which addresses the injection flaws through proper input sanitization. Security practitioners should update to this release immediately. Relevant resources include the fixing commit at https://github.com/siteboon/claudecodeui/commit/12e7f074d9563b3264caf9cec6e1b701c301af26, the release page at https://github.com/siteboon/claudecodeui/releases/tag/v1.25.0, and the GitHub security advisory at https://github.com/siteboon/claudecodeui/security/advisories/GHSA-gv8f-wpm2-m5wr.

Details

CWE(s)
CWE-78

Affected Products

cloudcli
cloud cli
≤ 1.25.0

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Matched keywords: claude, claude, gemini

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE enables remote exploitation of a public-facing WebSocket server (T1190) leading to arbitrary OS command injection in bash (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References