CVE-2026-35022
Published: 06 April 2026
Summary
CVE-2026-35022 is a uncategorised-severity an unspecified weakness vulnerability. Its CVSS base score is N/A.
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 30.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as APIs and Models; in the Not Applicable risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-35022, published on 2026-04-06, is an OS command injection vulnerability (CWE-78) in Anthropic's Claude Code CLI and Claude Agent SDK. The flaw occurs during authentication helper execution, where configuration values are passed to shell commands using shell=true without input validation. Vulnerable parameters include apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote exploitation.
Attackers who can influence authentication settings in these tools can inject shell metacharacters through the affected parameters, enabling execution of arbitrary OS commands with the privileges of the user or automation environment running the CLI or SDK. Successful exploitation allows for credential theft and exfiltration of environment variables, compromising sensitive data in development, CI/CD pipelines, or automated workflows.
Security practitioners should consult published advisories for mitigation guidance and patch details, including the Phoenix Security analysis at https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-authentication-helper.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19442
Vulnerability details
Rejected reason: This CVE ID has been rejected by its CVE Numbering Authority (CNA). It was determined that the -p flag behavior is documented in Anthropic's claude -h output with an explicit warning that non-interactive mode should only be used…
more
in trusted directories, making this intended and described behavior rather than a vulnerability.
- CWE(s)
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Not Applicable
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: anthropic, claude
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The OS command injection vulnerability directly enables arbitrary shell command execution (T1059.004: Unix Shell) via injected metacharacters in authentication helpers and exploitation of the client-side CLI/SDK for code execution (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted configuration values (apiKeyHelper, awsAuthRefresh, etc.) before they are passed to shell commands with shell=true.
Limits the privileges of the Claude CLI/SDK process so that successful command injection cannot easily exfiltrate credentials or affect the broader environment.
Restricts the use of shell execution and non-interactive helper mechanisms to only the minimal functionality required in trusted directories, matching the documented warning.
References
- No references listed