CVE-2026-35020
Published: 06 April 2026
Summary
CVE-2026-35020 is a high-severity OS Command Injection (CWE-78) vulnerability in Phoenix (inferred from references). Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediates the OS command injection flaw in the Claude Code CLI and Agent SDK by identifying, patching, and verifying fixes for the vulnerable command lookup helper and deep-link launcher.
Validates inputs like the TERMINAL environment variable to block shell metacharacters before they are used in shell=true command construction and execution.
Monitors for anomalous process executions or shell invocations triggered by manipulated TERMINAL variables during CLI or deep-link operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a client-side CLI tool (T1203) via OS command injection into /bin/sh (T1059.004), allowing arbitrary command execution.
NVD Description
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the command lookup helper and deep-link terminal launcher that allows local attackers to execute arbitrary commands by manipulating the TERMINAL environment variable. Attackers can inject…
more
shell metacharacters into the TERMINAL variable which are interpreted by /bin/sh when the command lookup helper constructs and executes shell commands with shell=true. The vulnerability can be triggered during normal CLI execution as well as via the deep-link handler path, resulting in arbitrary command execution with the privileges of the user running the CLI.
Deeper analysisAI
CVE-2026-35020, published on 2026-04-06, is an OS command injection vulnerability (CWE-78) in the Anthropic Claude Code CLI and Claude Agent SDK. The issue affects the command lookup helper and deep-link terminal launcher components, where local attackers can manipulate the TERMINAL environment variable to inject shell metacharacters. These metacharacters are interpreted by /bin/sh during command construction and execution when shell=true is used, enabling arbitrary command execution.
Local attackers can exploit the vulnerability without privileges (PR:N) by setting a malicious TERMINAL environment variable, triggering it during normal CLI execution or via the deep-link handler path. Successful exploitation results in arbitrary command execution with the privileges of the user running the CLI, potentially leading to full system compromise for that user. The CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability.
Advisories from Phoenix Security and VulnCheck provide further details on the vulnerability, including recommendations for mitigation; security practitioners should review these references for patch information and workarounds: https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/ and https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-terminal-environment-variable.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude, claude