Cyber Resilience

CVE-2026-35020

N/AUpdated

Published: 06 April 2026

Published
06 April 2026
Modified
29 May 2026
KEV Added
Patch
CVSS Score N/A
EPSS Score 0.0011 29.7th percentile
Risk Priority 0 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35020 is a uncategorised-severity an unspecified weakness vulnerability. Its CVSS base score is N/A.

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-35020, published on 2026-04-06, is an OS command injection vulnerability (CWE-78) in the Anthropic Claude Code CLI and Claude Agent SDK. The issue affects the command lookup helper and deep-link terminal launcher components, where local attackers can manipulate the TERMINAL environment variable to inject shell metacharacters. These metacharacters are interpreted by /bin/sh during command construction and execution when shell=true is used, enabling arbitrary command execution.

Local attackers can exploit the vulnerability without privileges (PR:N) by setting a malicious TERMINAL environment variable, triggering it during normal CLI execution or via the deep-link handler path. Successful exploitation results in arbitrary command execution with the privileges of the user running the CLI, potentially leading to full system compromise for that user. The CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability.

Advisories from Phoenix Security and VulnCheck provide further details on the vulnerability, including recommendations for mitigation; security practitioners should review these references for patch information and workarounds: https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/ and https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-terminal-environment-variable.

EU & UK References

Vulnerability details

Rejected reason: This CVE ID has been rejected by the its CVE Numbering Authority (CNA). It was determined that the attack requires an attacker to already control arbitrary environment variables, a level of access they consider functionally equivalent to code…

more

execution and outside the threat model of CLI tools.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability enables exploitation of a client-side CLI tool (T1203) via OS command injection into /bin/sh (T1059.004), allowing arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35022Shared CWE-78
CVE-2026-27487Shared CWE-78
CVE-2026-35021Shared CWE-78
CVE-2025-57771Shared CWE-78
CVE-2026-41015Shared CWE-78
CVE-2025-58370Shared CWE-78
CVE-2026-5485Shared CWE-78
CVE-2025-1244Shared CWE-78
CVE-2026-40030Shared CWE-78
CVE-2026-25157Shared CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input (TERMINAL env var) before it is concatenated into a /bin/sh command string with shell=true.

prevent

Enforces disabling or restricting high-risk functionality such as shell invocation in the command-lookup and deep-link components that enable the injection.

prevent

Limits the privileges under which the CLI runs, thereby reducing the impact of any commands executed via the malicious TERMINAL variable.

References