CVE-2026-35021
Published: 06 April 2026
Summary
CVE-2026-35021 is a high-severity OS Command Injection (CWE-78) vulnerability in Phoenix (inferred from references). Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates file path inputs to the prompt editor utility, rejecting shell metacharacters like $() or backticks that enable OS command injection.
Mandates timely patching and remediation of the specific command injection flaw in the Anthropic Claude Code CLI and Agent SDK.
Limits the scope and impact of arbitrary command execution by enforcing least privilege for users or processes running the vulnerable CLI.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in CLI tool enables exploitation for client execution (T1203) and arbitrary Unix shell command execution (T1059.004) via metacharacter interpolation in execSync.
NVD Description
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the prompt editor invocation utility that allows attackers to execute arbitrary commands by crafting malicious file paths. Attackers can inject shell metacharacters such as $()…
more
or backtick expressions into file paths that are interpolated into shell commands executed via execSync. Although the file path is wrapped in double quotes, POSIX shell semantics (POSIX §2.2.3) do not prevent command substitution within double quotes, allowing injected expressions to be evaluated and resulting in arbitrary command execution with the privileges of the user running the CLI.
Deeper analysisAI
CVE-2026-35021 is an OS command injection vulnerability (CWE-78) affecting the Anthropic Claude Code CLI and Claude Agent SDK, published on 2026-04-06 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The flaw exists in the prompt editor invocation utility, where crafted malicious file paths containing shell metacharacters such as $() or backtick expressions are interpolated into shell commands executed via execSync. Although the file path is wrapped in double quotes, POSIX shell semantics (POSIX §2.2.3) permit command substitution within double quotes, enabling evaluation of injected expressions and resulting in arbitrary command execution with the privileges of the user running the CLI.
Local attackers require no privileges (PR:N) but need user interaction (UI:R), such as tricking a user into specifying a malicious file path for the prompt editor, with low attack complexity (AC:L). Exploitation grants arbitrary command execution in the context of the CLI user, potentially leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
Advisories from Phoenix Security and VulnCheck provide further details on the vulnerability, including analysis of the prompteditor.ts component and risks in CI/CD environments; practitioners should consult these for recommended mitigations and patches: https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/ and https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-prompteditor-ts.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude, claude