CVE-2026-35021
Published: 06 April 2026
Summary
CVE-2026-35021 is a uncategorised-severity an unspecified weakness vulnerability. Its CVSS base score is N/A.
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as APIs and Models; in the Not Applicable risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-35021 is an OS command injection vulnerability (CWE-78) affecting the Anthropic Claude Code CLI and Claude Agent SDK, published on 2026-04-06 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The flaw exists in the prompt editor invocation utility, where crafted malicious file paths containing shell metacharacters such as $() or backtick expressions are interpolated into shell commands executed via execSync. Although the file path is wrapped in double quotes, POSIX shell semantics (POSIX §2.2.3) permit command substitution within double quotes, enabling evaluation of injected expressions and resulting in arbitrary command execution with the privileges of the user running the CLI.
Local attackers require no privileges (PR:N) but need user interaction (UI:R), such as tricking a user into specifying a malicious file path for the prompt editor, with low attack complexity (AC:L). Exploitation grants arbitrary command execution in the context of the CLI user, potentially leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
Advisories from Phoenix Security and VulnCheck provide further details on the vulnerability, including analysis of the prompteditor.ts component and risks in CI/CD environments; practitioners should consult these for recommended mitigations and patches: https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/ and https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-prompteditor-ts.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19440
Vulnerability details
Rejected reason: This CVE ID has been rejected by its CVE Numbering Authority (CNA). It was determined that the affected code path cannot be triggered through normal usage of Claude Code.
- CWE(s)
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Not Applicable
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in CLI tool enables exploitation for client execution (T1203) and arbitrary Unix shell command execution (T1059.004) via metacharacter interpolation in execSync.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of untrusted file paths before they are interpolated into execSync shell commands, directly blocking metacharacter command substitution.
Ensures the Claude Code CLI runs with only the privileges needed for its function, limiting the scope of arbitrary commands that can be executed via the injection.
Restricts the use of shell interpreters and command-substitution features within the prompt-editor code path, reducing the attack surface for OS command injection.
References
- No references listed