CVE-2026-31861 is a code injection vulnerability categorized under CWE-94 affecting siteboon's Cloud CLI (Claude Code UI) prior to version 1.24.0. The vulnerability arises from insecure handling of user input in the /api/user/git-config API endpoint, which constructs shell commands by embedding user-supplied gitName and gitEmail values directly into command strings executed via Node.js's child_process.exec(). While the input is enclosed in double quotes and the double quote character is escaped, bash shell semantics allow interpretation of backticks (`), command substitution via $(), and certain escape sequences even within double-quoted strings. This oversight enables an authenticated attacker to inject malicious shell commands that the system executes with the privileges of the running process. The attack vector requires authentication but no additional user interaction or elevated privileges. The vulnerability has a CVSS 4.0 score of 8.7, reflecting its high severity due to the potential for full system compromise, data exfiltration, or disruption of services. The flaw was publicly disclosed on March 11, 2026, and fixed in version 1.24.0 of the product. No known exploits are currently reported in the wild. The root cause is improper sanitization and escaping of shell metacharacters in user input used in command execution contexts, a common pitfall in applications that dynamically generate shell commands. Remediation involves upgrading to the patched version and adopting safer coding practices such as avoiding direct shell command construction with user input, using parameterized APIs like child_process.execFile or spawn, and implementing rigorous input validation and sanitization.

The impact of CVE-2026-31861 is significant for organizations using vulnerable versions of Cloud CLI (Claude Code UI). Successful exploitation allows authenticated attackers to execute arbitrary operating system commands with the privileges of the application process, potentially leading to full system compromise. This can result in unauthorized data access or modification, installation of persistent malware, lateral movement within networks, and disruption or destruction of services. Given the CLI nature of the product, attackers could leverage this to manipulate development workflows, inject malicious code into repositories, or exfiltrate sensitive configuration data. The vulnerability's ease of exploitation—requiring only authentication and no user interaction—heightens the risk. Organizations relying on this tool for development or automation may face operational downtime, reputational damage, and compliance violations if exploited. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code may emerge following disclosure.

To mitigate CVE-2026-31861, organizations should immediately upgrade siteboon's Cloud CLI (Claude Code UI) to version 1.24.0 or later, where the vulnerability is fixed. Until upgrade is possible, restrict access to the /api/user/git-config endpoint to trusted users only and monitor for suspicious activity. Developers should avoid constructing shell commands by concatenating or interpolating user input; instead, use safer Node.js APIs such as child_process.execFile or spawn that accept arguments as arrays, preventing shell interpretation. Implement strict input validation and sanitization on gitName and gitEmail fields to disallow shell metacharacters like backticks, dollar signs, and backslashes. Employ application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block command injection attempts. Conduct thorough code reviews and security testing focusing on command execution paths. Finally, maintain robust authentication and logging to detect and respond to potential exploitation attempts promptly.