Cyber Resilience

CVE-2026-35022

N/AUpdated

Published: 06 April 2026

Published
06 April 2026
Modified
29 May 2026
KEV Added
Patch
CVSS Score N/A
EPSS Score 0.0060 69.7th percentile
Risk Priority 0 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35022 is a uncategorised-severity an unspecified weakness vulnerability. Its CVSS base score is N/A.

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 30.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as APIs and Models; in the Not Applicable risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-35022, published on 2026-04-06, is an OS command injection vulnerability (CWE-78) in Anthropic's Claude Code CLI and Claude Agent SDK. The flaw occurs during authentication helper execution, where configuration values are passed to shell commands using shell=true without input validation. Vulnerable parameters include apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote exploitation.

Attackers who can influence authentication settings in these tools can inject shell metacharacters through the affected parameters, enabling execution of arbitrary OS commands with the privileges of the user or automation environment running the CLI or SDK. Successful exploitation allows for credential theft and exfiltration of environment variables, compromising sensitive data in development, CI/CD pipelines, or automated workflows.

Security practitioners should consult published advisories for mitigation guidance and patch details, including the Phoenix Security analysis at https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-authentication-helper.

EU & UK References

Vulnerability details

Rejected reason: This CVE ID has been rejected by its CVE Numbering Authority (CNA). It was determined that the -p flag behavior is documented in Anthropic's claude -h output with an explicit warning that non-interactive mode should only be used…

more

in trusted directories, making this intended and described behavior rather than a vulnerability.

CWE(s)
None listed

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
Not Applicable
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: anthropic, claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The OS command injection vulnerability directly enables arbitrary shell command execution (T1059.004: Unix Shell) via injected metacharacters in authentication helpers and exploitation of the client-side CLI/SDK for code execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27487Shared CWE-78
CVE-2026-35020Shared CWE-78
CVE-2026-35021Shared CWE-78
CVE-2025-57771Shared CWE-78
CVE-2026-41015Shared CWE-78
CVE-2025-58370Shared CWE-78
CVE-2026-5485Shared CWE-78
CVE-2025-1244Shared CWE-78
CVE-2026-40030Shared CWE-78
CVE-2026-25157Shared CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted configuration values (apiKeyHelper, awsAuthRefresh, etc.) before they are passed to shell commands with shell=true.

prevent

Limits the privileges of the Claude CLI/SDK process so that successful command injection cannot easily exfiltrate credentials or affect the broader environment.

prevent

Restricts the use of shell execution and non-interactive helper mechanisms to only the minimal functionality required in trusted directories, matching the documented warning.

References