CVE-2026-35022

216.73.217.22

· Published 06/04/2026 20:16 · Modified 07/04/2026 13:20

Labels: CVE-2026-35022 2026-04-06 CVE-2026-35022 CWE-78 [email protected]

Essential information

Published: 06/04/2026 20:16
Modified: 07/04/2026 13:20
Author: —
Creator: —
CVSS: 9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh to execute arbitrary commands with the privileges of the user or automation environment, enabling credential theft and environment variable exfiltration.

NVD status

Status: Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
anthropic / claude code cli	`cpe:2.3:a:anthropic:claude_code_cli::::::::`
anthropic / claude agent sdk	`cpe:2.3:a:anthropic:claude_agent_sdk::::::::`