CVE-2026-31975
Published: 11 March 2026
Summary
CVE-2026-31975 is a critical-severity OS Command Injection (CWE-78) vulnerability in Cloudcli Cloud Cli. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires input validation and sanitization of WebSocket payloads like projectPath, initialCommand, and sessionId before bash command interpolation, preventing OS command injection.
Ensures timely identification, reporting, and patching of the command injection flaw to version 1.25.0, remediating the vulnerability.
Restricts WebSocket message inputs to authorized types, formats, and content, limiting opportunities for malicious command payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of a public-facing WebSocket server (T1190) leading to arbitrary OS command injection in bash (T1059.004).
NVD Description
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.25.0, OS Command Injection via WebSocket Shell. Both projectPath and initialCommand in server/index.js are taken directly from the…
more
WebSocket message payload and interpolated into a bash command string without any sanitization, enabling arbitrary OS command execution. A secondary injection vector exists via unsanitized sessionId. This vulnerability is fixed in 1.25.0.
Deeper analysisAI
CVE-2026-31975 is an OS command injection vulnerability (CWE-78) affecting Cloud CLI, also known as Claude Code UI, a desktop and mobile user interface for tools including Claude Code, Cursor CLI, Codex, and Gemini-CLI. In versions prior to 1.25.0, the server/index.js component directly interpolates unsanitized user inputs—specifically projectPath and initialCommand from WebSocket message payloads—into bash command strings, enabling arbitrary OS command execution. A secondary injection vector exists through the unsanitized sessionId. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
The vulnerability can be exploited remotely by unauthenticated attackers with network access to the affected application, requiring low complexity and no user interaction. By crafting malicious WebSocket messages, attackers can inject and execute arbitrary operating system commands on the host running the Cloud CLI server, potentially leading to full system compromise with high confidentiality, integrity, and availability impacts.
Mitigation is available in version 1.25.0, which addresses the injection flaws through proper input sanitization. Security practitioners should update to this release immediately. Relevant resources include the fixing commit at https://github.com/siteboon/claudecodeui/commit/12e7f074d9563b3264caf9cec6e1b701c301af26, the release page at https://github.com/siteboon/claudecodeui/releases/tag/v1.25.0, and the GitHub security advisory at https://github.com/siteboon/claudecodeui/security/advisories/GHSA-gv8f-wpm2-m5wr.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude, claude, gemini