Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45136

CVE-2026-45136: claude-code-cache-fix RCE Vulnerability

CVE-2026-45136 is a remote code execution flaw in claude-code-cache-fix versions 3.5.0 to 3.5.2 that allows attackers to execute arbitrary Python code. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-45136 Overview

CVE-2026-45136 is a code injection vulnerability in claude-code-cache-fix, a cache optimization proxy for Claude Code. The flaw resides in tools/quota-statusline.sh, introduced in version 3.5.0. The script interpolates the Claude Code hook stdin payload directly into a Python triple-quoted string literal. An attacker who controls any field in that payload can inject a ''' byte sequence to close the literal early and execute arbitrary Python code inside the user's Claude Code process. The issue is fixed in version 3.5.2.

Critical Impact

Attackers can achieve arbitrary Python code execution in the user's Claude Code process by injecting a ''' sequence into any user-controlled field of the hook stdin payload.

Affected Products

  • claude-code-cache-fix versions 3.5.0 through 3.5.1
  • tools/quota-statusline.sh script introduced in v3.5.0
  • Claude Code environments using the cache optimization proxy

Discovery Timeline

  • 2026-05-27 - CVE-2026-45136 published to NVD
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-45136

Vulnerability Analysis

The vulnerability is classified under [CWE-78] as an OS command injection class issue, manifesting specifically as Python code injection. The quota-statusline.sh helper script constructs an inline Python program by embedding Claude Code hook stdin data inside a triple-quoted Python string literal. Triple-quoted strings in Python terminate at the first occurrence of three consecutive single quotes. Any field in the JSON payload that contains ''' therefore breaks out of the string context. Bytes following the closing delimiter are parsed as Python source and executed by the interpreter that runs the statusline tool.

Root Cause

The root cause is unsafe string interpolation of untrusted input into a code context. The script treats the hook payload as inert text and concatenates it into Python source before execution. No escaping, encoding, or parameterization separates data from code. The triple-quoted literal provides no protection because its delimiter can appear within the data itself.

Attack Vector

Exploitation requires local access because Claude Code processes hook stdin payloads on the user's machine. An attacker who can influence any user-controlled field reachable through the hook channel can inject the ''' sequence followed by Python statements. The injected code runs with the privileges of the Claude Code process, allowing access to files, credentials, and network resources available to that user session. No authentication or user interaction is required once the malicious payload reaches the statusline tool.

A detailed write-up is available in the GitHub Security Advisory GHSA-g3xq-3gmv-qq8g and the GitHub Issue Report.

Detection Methods for CVE-2026-45136

Indicators of Compromise

  • Presence of ''' byte sequences inside Claude Code hook stdin payloads passed to tools/quota-statusline.sh
  • Unexpected child processes spawned by the Claude Code statusline Python interpreter
  • Outbound network connections or file writes originating from the statusline process context

Detection Strategies

  • Inspect installed versions of claude-code-cache-fix and flag any release between 3.5.0 and 3.5.1 inclusive.
  • Scan hook payload logs and Claude Code stdin captures for triple-quote delimiters in user-controlled fields.
  • Monitor execution traces of quota-statusline.sh for child processes outside the expected Python interpreter activity.

Monitoring Recommendations

  • Enable process auditing on developer workstations running Claude Code to capture parent-child process relationships for quota-statusline.sh.
  • Alert on writes to sensitive paths such as ~/.ssh, ~/.aws, and credential stores by the Claude Code process tree.
  • Track outbound DNS and HTTP requests initiated by the statusline interpreter to detect data exfiltration attempts.

How to Mitigate CVE-2026-45136

Immediate Actions Required

  • Upgrade claude-code-cache-fix to version 3.5.2 or later on all systems where it is installed.
  • Audit Claude Code hook configurations and remove untrusted sources that can feed the statusline tool.
  • Rotate any credentials accessible to user accounts that ran vulnerable versions of the proxy.

Patch Information

The maintainer fixed the issue in claude-code-cache-fix version 3.5.2. The fix is tracked in Pull Request #110 and the GitHub Security Advisory GHSA-g3xq-3gmv-qq8g. The patch replaces unsafe string interpolation with safe handling of payload data so that hook input is no longer treated as Python source.

Workarounds

  • Disable or remove tools/quota-statusline.sh until the upgrade to 3.5.2 is complete.
  • Restrict Claude Code hook inputs to trusted sources only and reject payloads that contain triple-quote sequences.
  • Run Claude Code under a least-privileged account to limit the impact of arbitrary Python execution.
bash
# Upgrade claude-code-cache-fix to the patched release
pip install --upgrade 'claude-code-cache-fix>=3.5.2'

# Verify the installed version
pip show claude-code-cache-fix | grep -i version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.