Cyber Posture

CVE-2026-35022

CriticalPublic PoC

Published: 06 April 2026

Published
06 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0052 67.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through…

more

parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh to execute arbitrary commands with the privileges of the user or automation environment, enabling credential theft and environment variable exfiltration.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the lack of input validation on authentication helper parameters like apiKeyHelper before shell execution, preventing command injection.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and patching of the specific OS command injection flaw in the Claude Code CLI and Agent SDK.

AC-6 Least Privilege partial match
prevent

Limits the impact of arbitrary command execution by enforcing least privilege on user and automation processes running the vulnerable tools.

Security SummaryAI

CVE-2026-35022, published on 2026-04-06, is an OS command injection vulnerability (CWE-78) in Anthropic's Claude Code CLI and Claude Agent SDK. The flaw occurs during authentication helper execution, where configuration values are passed to shell commands using shell=true without input validation. Vulnerable parameters include apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote exploitation.

Attackers who can influence authentication settings in these tools can inject shell metacharacters through the affected parameters, enabling execution of arbitrary OS commands with the privileges of the user or automation environment running the CLI or SDK. Successful exploitation allows for credential theft and exfiltration of environment variables, compromising sensitive data in development, CI/CD pipelines, or automated workflows.

Security practitioners should consult published advisories for mitigation guidance and patch details, including the Phoenix Security analysis at https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-authentication-helper.

Details

CWE(s)
CWE-78

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Matched keywords: claude, claude

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

The OS command injection vulnerability directly enables arbitrary shell command execution (T1059.004: Unix Shell) via injected metacharacters in authentication helpers and exploitation of the client-side CLI/SDK for code execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References