CVE-2026-31861 Overview
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to version 1.24.0, a critical command injection vulnerability exists in the /api/user/git-config endpoint. The endpoint constructs shell commands by interpolating user-supplied gitName and gitEmail values into command strings passed to child_process.exec(). While the input is placed within double quotes and only the double-quote character (") is escaped, dangerous shell metacharacters including backticks (`), $() command substitution, and \\ escape sequences are all interpreted within double-quoted strings in bash. This allows authenticated attackers to execute arbitrary OS commands via the git configuration endpoint.
Critical Impact
Authenticated attackers can achieve full remote code execution on systems running Cloud CLI versions prior to 1.24.0 by exploiting improper input sanitization in the git configuration API endpoint.
Affected Products
- Cloud CLI (Claude Code UI) versions prior to 1.24.0
- Desktop installations of Claude Code UI
- Mobile installations of Claude Code UI
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-31861 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-31861
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Code Injection), specifically manifesting as an OS command injection flaw. The vulnerable code path exists in the /api/user/git-config endpoint within the server/routes/user.js file. The application uses Node.js child_process.exec() to execute git commands, constructing the command string by directly interpolating user-controlled values.
The fundamental issue is incomplete input sanitization. While the developers attempted to prevent injection by escaping double-quote characters, they failed to account for other shell metacharacters that are interpreted within double-quoted bash strings. An attacker with valid authentication can craft malicious gitName or gitEmail values containing backticks or $() syntax to inject and execute arbitrary system commands with the privileges of the Node.js process.
Root Cause
The root cause is the use of child_process.exec() with string concatenation to build shell commands from user input. The exec() function spawns a shell (typically /bin/sh or bash) to interpret the command string, which inherently processes shell metacharacters. The incomplete escaping strategy only addressed double-quote characters but left command substitution syntax ($() and backticks) and backslash escape sequences vulnerable to exploitation.
Attack Vector
The attack requires network access and valid authentication credentials to the Cloud CLI application. An authenticated attacker can send a crafted HTTP request to the /api/user/git-config endpoint with malicious payload in the gitName or gitEmail parameters. For example, a gitEmail value containing `whoami` or $(id) would result in command execution when the application constructs and executes the git configuration command.
The security patch addresses this by replacing child_process.exec() with child_process.spawn() and explicitly setting shell: false. This ensures that arguments are passed directly to the command without shell interpretation, eliminating the command injection attack surface entirely.
import { userDb } from '../database/db.js';
import { authenticateToken } from '../middleware/auth.js';
import { getSystemGitConfig } from '../utils/gitConfig.js';
-import { exec } from 'child_process';
-import { promisify } from 'util';
+import { spawn } from 'child_process';
-const execAsync = promisify(exec);
const router = express.Router();
+function spawnAsync(command, args, options = {}) {
+ return new Promise((resolve, reject) => {
+ const child = spawn(command, args, { ...options, shell: false });
+ let stdout = '';
+ let stderr = '';
+ child.stdout.on('data', (data) => { stdout += data.toString(); });
+ child.stderr.on('data', (data) => { stderr += data.toString(); });
+ child.on('error', (error) => { reject(error); });
+ child.on('close', (code) => {
+ if (code === 0) { resolve({ stdout, stderr }); return; }
+ const error = new Error(`Command failed: ${command} ${args.join(' ')}`);
+ error.code = code;
+ error.stdout = stdout;
+ error.stderr = stderr;
+ reject(error);
+ });
+ });
+}
+
router.get('/git-config', authenticateToken, async (req, res) => {
Source: GitHub Commit
Detection Methods for CVE-2026-31861
Indicators of Compromise
- Unusual POST/PUT requests to /api/user/git-config containing shell metacharacters (backticks, $(), $(, backslashes) in gitName or gitEmail parameters
- Unexpected child processes spawned by the Node.js application process
- Anomalous system command execution patterns originating from the Cloud CLI service
- Web server logs showing encoded or malformed email/name values in git configuration requests
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing shell metacharacters in the git-config endpoint parameters
- Monitor Node.js process spawning behavior for unexpected child processes, particularly shells or system utilities
- Enable and review application-level logging for the /api/user/git-config endpoint to identify suspicious input patterns
- Deploy endpoint detection and response (EDR) solutions to identify command injection exploitation attempts
Monitoring Recommendations
- Configure alerting for requests to /api/user/git-config containing patterns matching command substitution syntax
- Monitor for unusual network connections or file system access originating from the Cloud CLI process
- Implement application performance monitoring (APM) to track abnormal execution times that may indicate exploitation attempts
- Review authentication logs for accounts making repeated requests to the vulnerable endpoint
How to Mitigate CVE-2026-31861
Immediate Actions Required
- Upgrade Cloud CLI (Claude Code UI) to version 1.24.0 or later immediately
- If immediate upgrade is not possible, temporarily disable or restrict access to the /api/user/git-config endpoint
- Review server logs for evidence of exploitation attempts prior to patching
- Rotate any credentials or tokens that may have been exposed if compromise is suspected
Patch Information
The vulnerability has been fixed in Cloud CLI version 1.24.0. The patch replaces the vulnerable child_process.exec() implementation with child_process.spawn() using the shell: false option, which prevents shell interpretation of user input. Users should upgrade to version 1.24.0 or later by following the instructions in the GitHub Release v1.24.0. Additional details are available in the GitHub Security Advisory GHSA-7fv4-fmmc-86g2.
Workarounds
- Implement a reverse proxy or WAF rule to sanitize or reject requests containing shell metacharacters to the /api/user/git-config endpoint
- Restrict network access to the Cloud CLI application to trusted IP ranges or VPN only
- Temporarily disable the git configuration functionality by modifying server routing until the patch can be applied
- Implement additional authentication requirements for the affected endpoint as a defense-in-depth measure
# Example: Block suspicious requests at nginx level (temporary workaround)
# Add to nginx server configuration
location /api/user/git-config {
# Reject requests containing common command injection patterns
if ($request_body ~* "(\$\(|`|\\\\)") {
return 403;
}
proxy_pass http://localhost:3000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
