CVE-2026-24887
Published: 03 February 2026
Summary
CVE-2026-24887 is a high-severity OS Command Injection (CWE-78) vulnerability in Anthropic Claude Code. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as APIs and Models.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by validating untrusted content introduced into the Claude Code context window before command parsing and execution.
Ensures timely application of patches, such as upgrading to Claude Code version 2.0.72, to remediate the specific command parsing flaw.
Limits the scope and impact of untrusted command execution by enforcing least privilege on the Claude Code process and associated accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection (CWE-78) in Claude Code directly bypasses confirmation prompts to enable arbitrary Unix shell command execution (find command) on the host; the vuln is exploitable remotely with low privileges to achieve RCE and privilege escalation.
NVD Description
Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting…
more
this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.72.
Deeper analysisAI
CVE-2026-24887 affects Claude Code, an agentic coding tool from Anthropic, in versions prior to 2.0.72. The vulnerability stems from an error in command parsing that allows attackers to bypass the tool's confirmation prompt, enabling execution of untrusted commands via the find command. Associated with CWE-78 (OS Command Injection) and CWE-94 (Code Injection), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
Exploitation requires an attacker with low privileges (PR:L) who can introduce untrusted content into a Claude Code context window, such as through manipulated inputs or shared sessions. Once injected, the malformed find command evades the confirmation mechanism, allowing arbitrary command execution on the host system without user interaction (UI:N). This could lead to full system compromise, data exfiltration, or persistent access, depending on the attacker's privileges and the environment.
The GitHub Security Advisory (GHSA-qgqw-h4xq-7w8w) confirms the issue was patched in Claude Code version 2.0.72 by fixing the command parsing logic. Security practitioners should upgrade to 2.0.72 or later and review usage of Claude Code in contexts where untrusted content might enter the tool's window, such as collaborative coding or automated pipelines.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude, claude, claude