Cyber Posture

CVE-2026-35020

HighPublic PoC

Published: 06 April 2026

Published
06 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the command lookup helper and deep-link terminal launcher that allows local attackers to execute arbitrary commands by manipulating the TERMINAL environment variable. Attackers can inject…

more

shell metacharacters into the TERMINAL variable which are interpreted by /bin/sh when the command lookup helper constructs and executes shell commands with shell=true. The vulnerability can be triggered during normal CLI execution as well as via the deep-link handler path, resulting in arbitrary command execution with the privileges of the user running the CLI.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Remediates the OS command injection flaw in the Claude Code CLI and Agent SDK by identifying, patching, and verifying fixes for the vulnerable command lookup helper and deep-link launcher.

SI-10 Information Input Validation good match
prevent

Validates inputs like the TERMINAL environment variable to block shell metacharacters before they are used in shell=true command construction and execution.

SI-4 System Monitoring partial match
detect

Monitors for anomalous process executions or shell invocations triggered by manipulated TERMINAL variables during CLI or deep-link operations.

Security SummaryAI

CVE-2026-35020, published on 2026-04-06, is an OS command injection vulnerability (CWE-78) in the Anthropic Claude Code CLI and Claude Agent SDK. The issue affects the command lookup helper and deep-link terminal launcher components, where local attackers can manipulate the TERMINAL environment variable to inject shell metacharacters. These metacharacters are interpreted by /bin/sh during command construction and execution when shell=true is used, enabling arbitrary command execution.

Local attackers can exploit the vulnerability without privileges (PR:N) by setting a malicious TERMINAL environment variable, triggering it during normal CLI execution or via the deep-link handler path. Successful exploitation results in arbitrary command execution with the privileges of the user running the CLI, potentially leading to full system compromise for that user. The CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability.

Advisories from Phoenix Security and VulnCheck provide further details on the vulnerability, including recommendations for mitigation; security practitioners should review these references for patch information and workarounds: https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/ and https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-terminal-environment-variable.

Details

CWE(s)
CWE-78

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Matched keywords: claude, claude

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

The vulnerability enables exploitation of a client-side CLI tool (T1203) via OS command injection into /bin/sh (T1059.004), allowing arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References