CVE-2026-35022: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Anthropic Claude Code
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh to execute arbitrary commands with the privileges of the user or automation environment, enabling credential theft and environment variable exfiltration.
AI Analysis
Technical Summary
CVE-2026-35022 is an OS command injection vulnerability (CWE-78) in Anthropic Claude Code CLI and Claude Agent SDK. The issue arises because authentication helper configuration values are executed with shell=true without proper input validation. Attackers able to influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh, leading to arbitrary command execution with the privileges of the user or automation environment. This can result in credential theft and exfiltration of environment variables. The vulnerability has a critical CVSS 4.0 score of 9.3. The affected product is a cloud service, and a patch is available, though no specific vendor advisory details were provided.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary OS commands with the privileges of the user or automation environment running the vulnerable components. This can lead to credential theft and exfiltration of sensitive environment variables, potentially compromising system integrity and confidentiality. The vulnerability is critical given the ease of exploitation (no privileges or user interaction required) and the high impact on confidentiality and integrity.
Mitigation Recommendations
Since the product is a cloud service, the vendor typically manages remediation server-side. A patch is available for this vulnerability. Users should apply the official patch or update provided by Anthropic as soon as possible. In the absence of detailed vendor advisory content, check Anthropic's official channels for the latest remediation guidance. No additional mitigation steps are specified or required beyond applying the patch.
CVE-2026-35022: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Anthropic Claude Code
Description
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh to execute arbitrary commands with the privileges of the user or automation environment, enabling credential theft and environment variable exfiltration.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35022 is an OS command injection vulnerability (CWE-78) in Anthropic Claude Code CLI and Claude Agent SDK. The issue arises because authentication helper configuration values are executed with shell=true without proper input validation. Attackers able to influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh, leading to arbitrary command execution with the privileges of the user or automation environment. This can result in credential theft and exfiltration of environment variables. The vulnerability has a critical CVSS 4.0 score of 9.3. The affected product is a cloud service, and a patch is available, though no specific vendor advisory details were provided.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary OS commands with the privileges of the user or automation environment running the vulnerable components. This can lead to credential theft and exfiltration of sensitive environment variables, potentially compromising system integrity and confidentiality. The vulnerability is critical given the ease of exploitation (no privileges or user interaction required) and the high impact on confidentiality and integrity.
Mitigation Recommendations
Since the product is a cloud service, the vendor typically manages remediation server-side. A patch is available for this vulnerability. Users should apply the official patch or update provided by Anthropic as soon as possible. In the absence of detailed vendor advisory content, check Anthropic's official channels for the latest remediation guidance. No additional mitigation steps are specified or required beyond applying the patch.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-03-31T20:40:15.618Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69d409d70a160ebd92d5a937
Added to database: 4/6/2026, 7:30:31 PM
Last enriched: 4/14/2026, 11:23:54 AM
Last updated: 5/22/2026, 12:22:30 PM
Views: 206
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.