Cyber Resilience

CVE-2026-35021

N/AUpdated

Published: 06 April 2026

Published
06 April 2026
Modified
29 May 2026
KEV Added
Patch
CVSS Score N/A
EPSS Score 0.0004 12.9th percentile
Risk Priority 0 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35021 is a uncategorised-severity an unspecified weakness vulnerability. Its CVSS base score is N/A.

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as APIs and Models; in the Not Applicable risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-35021 is an OS command injection vulnerability (CWE-78) affecting the Anthropic Claude Code CLI and Claude Agent SDK, published on 2026-04-06 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The flaw exists in the prompt editor invocation utility, where crafted malicious file paths containing shell metacharacters such as $() or backtick expressions are interpolated into shell commands executed via execSync. Although the file path is wrapped in double quotes, POSIX shell semantics (POSIX §2.2.3) permit command substitution within double quotes, enabling evaluation of injected expressions and resulting in arbitrary command execution with the privileges of the user running the CLI.

Local attackers require no privileges (PR:N) but need user interaction (UI:R), such as tricking a user into specifying a malicious file path for the prompt editor, with low attack complexity (AC:L). Exploitation grants arbitrary command execution in the context of the CLI user, potentially leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

Advisories from Phoenix Security and VulnCheck provide further details on the vulnerability, including analysis of the prompteditor.ts component and risks in CI/CD environments; practitioners should consult these for recommended mitigations and patches: https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/ and https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-prompteditor-ts.

EU & UK References

Vulnerability details

Rejected reason: This CVE ID has been rejected by its CVE Numbering Authority (CNA). It was determined that the affected code path cannot be triggered through normal usage of Claude Code.

CWE(s)
None listed

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
Not Applicable
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in CLI tool enables exploitation for client execution (T1203) and arbitrary Unix shell command execution (T1059.004) via metacharacter interpolation in execSync.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35022Shared CWE-78
CVE-2026-27487Shared CWE-78
CVE-2026-35020Shared CWE-78
CVE-2025-57771Shared CWE-78
CVE-2026-41015Shared CWE-78
CVE-2025-58370Shared CWE-78
CVE-2026-5485Shared CWE-78
CVE-2025-1244Shared CWE-78
CVE-2026-40030Shared CWE-78
CVE-2026-25157Shared CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of untrusted file paths before they are interpolated into execSync shell commands, directly blocking metacharacter command substitution.

prevent

Ensures the Claude Code CLI runs with only the privileges needed for its function, limiting the scope of arbitrary commands that can be executed via the injection.

prevent

Restricts the use of shell interpreters and command-substitution features within the prompt-editor code path, reducing the attack surface for OS command injection.

References