CVE-2026-35022
Published: 06 April 2026
Summary
CVE-2026-35022 is a critical-severity OS Command Injection (CWE-78) vulnerability in Phoenix (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of input validation on authentication helper parameters like apiKeyHelper before shell execution, preventing command injection.
Requires timely identification, reporting, and patching of the specific OS command injection flaw in the Claude Code CLI and Agent SDK.
Limits the impact of arbitrary command execution by enforcing least privilege on user and automation processes running the vulnerable tools.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The OS command injection vulnerability directly enables arbitrary shell command execution (T1059.004: Unix Shell) via injected metacharacters in authentication helpers and exploitation of the client-side CLI/SDK for code execution (T1203).
NVD Description
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through…
more
parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh to execute arbitrary commands with the privileges of the user or automation environment, enabling credential theft and environment variable exfiltration.
Deeper analysisAI
CVE-2026-35022, published on 2026-04-06, is an OS command injection vulnerability (CWE-78) in Anthropic's Claude Code CLI and Claude Agent SDK. The flaw occurs during authentication helper execution, where configuration values are passed to shell commands using shell=true without input validation. Vulnerable parameters include apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote exploitation.
Attackers who can influence authentication settings in these tools can inject shell metacharacters through the affected parameters, enabling execution of arbitrary OS commands with the privileges of the user or automation environment running the CLI or SDK. Successful exploitation allows for credential theft and exfiltration of environment variables, compromising sensitive data in development, CI/CD pipelines, or automated workflows.
Security practitioners should consult published advisories for mitigation guidance and patch details, including the Phoenix Security analysis at https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-authentication-helper.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude, claude