CVE-2026-35020 Overview
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability (CWE-78) in the command lookup helper and deep-link terminal launcher that allows local attackers to execute arbitrary commands by manipulating the TERMINAL environment variable. Attackers can inject shell metacharacters into the TERMINAL variable which are interpreted by /bin/sh when the command lookup helper constructs and executes shell commands with shell=true. The vulnerability can be triggered during normal CLI execution as well as via the deep-link handler path, resulting in arbitrary command execution with the privileges of the user running the CLI.
Critical Impact
Local attackers can achieve arbitrary command execution with full user privileges by injecting malicious shell metacharacters into the TERMINAL environment variable, potentially leading to credential exfiltration and complete system compromise.
Affected Products
- Anthropic Claude Code CLI
- Anthropic Claude Agent SDK
- Systems using the command lookup helper with shell=true execution
Discovery Timeline
- 2026-04-06 - CVE-2026-35020 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35020
Vulnerability Analysis
This vulnerability stems from unsafe handling of environment variables when constructing shell commands. The Claude Code CLI and Agent SDK utilize a command lookup helper that reads the TERMINAL environment variable to determine which terminal emulator to use for launching processes. When this value is passed to a shell execution function with shell=true, the variable content is not properly sanitized, allowing shell metacharacters to be interpreted and executed.
The deep-link terminal launcher provides an additional attack surface, as it also relies on the same unsafe command construction pattern. This creates multiple entry points for exploitation, making the vulnerability particularly concerning for CI/CD environments where environment variables may be influenced by external inputs.
Root Cause
The root cause is improper input validation (CWE-78: OS Command Injection) in the command lookup helper component. The TERMINAL environment variable is directly concatenated into shell commands without sanitization or escaping of special characters. When these commands are executed with shell=true, the shell interprets metacharacters such as semicolons, backticks, $(), and pipe operators, allowing command chaining and injection.
Attack Vector
This is a local attack vector requiring the attacker to have the ability to control or influence the TERMINAL environment variable before the CLI is executed. Attack scenarios include:
CI/CD Pipeline Exploitation - Attackers with access to CI/CD configuration can set malicious environment variables that persist when Claude Code CLI is invoked during build or deployment processes
Shared System Exploitation - On multi-user systems, an attacker could potentially influence environment variables through various means such as shell initialization scripts or profile configurations
Deep-Link Handler Abuse - The deep-link terminal launcher path provides an alternative trigger mechanism where specially crafted deep-links could invoke the vulnerable code path
The attacker sets the TERMINAL environment variable to include shell metacharacters and malicious commands. When the CLI executes and reaches the command lookup helper, the malicious payload is passed to /bin/sh and executed with the privileges of the user running the CLI. This can result in credential theft, data exfiltration, or further system compromise.
Detection Methods for CVE-2026-35020
Indicators of Compromise
- Unusual or malformed values in the TERMINAL environment variable containing shell metacharacters (;, |, $(), backticks)
- Unexpected child processes spawned by Claude Code CLI or Claude Agent SDK
- Anomalous network connections or file access patterns originating from CLI processes
- Evidence of credential access or exfiltration attempts coinciding with CLI execution times
Detection Strategies
- Monitor environment variable values for shell metacharacters before CLI invocation, particularly in CI/CD pipelines
- Implement process monitoring to detect unexpected command execution patterns from Claude Code CLI processes
- Deploy file integrity monitoring on sensitive credential stores and configuration files
- Enable comprehensive logging of shell command executions and environment variable states
Monitoring Recommendations
- Configure SIEM alerts for process trees showing suspicious child processes spawned by Claude CLI components
- Monitor for environment variable manipulation in CI/CD job logs and audit trails
- Track network egress from systems running Claude Code CLI for potential data exfiltration
- Implement baseline behavior analysis to detect anomalous CLI execution patterns
How to Mitigate CVE-2026-35020
Immediate Actions Required
- Audit all environments where Claude Code CLI or Claude Agent SDK are deployed for potentially malicious TERMINAL variable values
- Restrict environment variable setting capabilities in CI/CD pipelines to trusted sources only
- Implement environment variable allowlisting or sanitization before invoking CLI tools
- Review access controls on systems where the vulnerable components are installed
Patch Information
Review the VulnCheck Advisory and Phoenix Security Analysis for the latest patch information and updated versions. Apply vendor-provided security updates as soon as they become available to address this command injection vulnerability.
Workarounds
- Set the TERMINAL environment variable to a known-safe, hardcoded value before invoking the CLI
- Use wrapper scripts that sanitize or unset the TERMINAL variable prior to CLI execution
- Run Claude Code CLI in isolated environments with restricted environment variable inheritance
- Implement network segmentation to limit potential exfiltration if exploitation occurs
The following example demonstrates how to sanitize the environment before invoking the CLI:
# Configuration example - Sanitize TERMINAL variable before CLI execution
# Unset potentially malicious TERMINAL variable
unset TERMINAL
# Or set to a known-safe value
export TERMINAL="xterm"
# Verify no shell metacharacters are present
if [[ "$TERMINAL" =~ [\;\|\`\$\(\)] ]]; then
echo "ERROR: Invalid TERMINAL value detected"
exit 1
fi
# Execute CLI with sanitized environment
claude-code "$@"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
