Summary
CVE-2026-35020 is an OS command injection vulnerability in Claude Code CLI and Claude Agent SDK. It occurs when the application constructs shell commands using the TERMINAL environment variable without proper validation. Attackers can inject shell metacharacters that are interpreted by /bin/sh, enabling execution of arbitrary commands. The issue can be triggered during normal CLI usage or through the deep-link handler, with commands running under the privileges of the user executing the tool. Affected versions include Claude Code up to 2.1.91 and Claude Agent SDK up to 0.1.55, with fixes available in later versions.
Urgent Actions Required
- Update Claude Code CLI to version 2.1.92 or later.
- Update Claude Agent SDK for Python to version 0.1.56 or later.
- Control or sanitize the TERMINAL environment variable to prevent injection.
- Avoid using shell-based execution (shell=true) when handling external input.
- Monitor systems for unusual command execution behavior.
Which Systems Are Vulnerable to CVE-2026-22769?
Technical Overview
- Vulnerability Type: OS Command Injection (CWE-78) via environment variable manipulation
- Affected Software/Versions:
- Claude Code CLI (up to version 2.1.91)
- Claude Agent SDK for Python (up to version 0.1.55)
- Attack Vector: Local (environment variable control)
- CVSS Vector: v4.0
- Attack Vector (AV): Local
- Attack Complexity (AC): Low
- Attack Requirements (AT): None
- Privileges Required (PR): None
- User Interaction (UI): None
- Vulnerable System Confidentiality (VC): High
- Vulnerable System Integrity (VI): High
- Vulnerable System Availability (VA): High
- Subsequent System Confidentiality (SC): None
- Subsequent System Integrity (SI): None
- Subsequent System Availability (SA): None
- Patch Availability: Yes, available
How Does the CVE-2026-3909 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2026-35020?
Vulnerability Root Cause:
The issue arises from improper handling of externally influenced input in command execution. The CLI constructs shell commands using the TERMINAL environment variable without properly sanitizing it. When these commands are executed with shell=true, injected shell metacharacters are interpreted by /bin/sh. This lack of input validation allows unintended command execution, leading to OS command injection.
How Can You Mitigate CVE-2026-35020?
If immediate patching is delayed or not possible:
- Sanitize or unset the TERMINAL environment variable before running the CLI.
- Avoid using shell=true when constructing and executing commands.
- Restrict access to systems running the CLI to trusted users only.
- Control and limit who can modify environment variables in the execution environment.
- Monitor logs for unusual or unexpected command execution activity.
Which Assets and Systems Are at Risk?
- Asset Types Affected:
- Developer tools - Systems running Claude Code CLI
- Automation environments - Using Claude Agent SDK for Python
- Local systems - Where CLI or SDK is installed
- Business-Critical Systems at Risk:
- Development environments - Where CLI tools are used
- CI/CD pipelines - If integrated into workflows
- Sensitive systems - Risk of command execution and credential exposure
- Exposure Level:
- Local access required - Needs control over environment variables
- Developer environments - Where variables can be modified
- Unpatched systems - Running affected versions
Will Patching CVE-2026-35020 Cause Downtime?
Patch application impact: Low impact. Updating to Claude Code 2.1.92+ and Agent SDK 0.1.56+ typically requires minimal disruption with little to no downtime.
Mitigation (if immediate patching is not possible): Limited risk reduction. Sanitize or unset the TERMINAL variable and avoid shell=true. Restrict access and monitor activity. Full risk remains until patched.
How Can You Detect CVE-2026-35020 Exploitation?
Exploitation Signatures:
Look for manipulation of the TERMINAL environment variable containing shell metacharacters. Monitor for command execution triggered through CLI or deep-link handler paths.
Indicators of Compromise (IOCs/IOAs):
- Unexpected commands executed with user-level privileges
- Abnormal use or modification of the TERMINAL environment variable
- Signs of credential access or data exposure following command execution
Behavioral Indicators:
- Commands executed via /bin/sh that were not intended by the application
- CLI or SDK triggering shell commands unexpectedly
- Unusual activity during normal CLI execution or deep-link usage
Alerting Strategy:
- Priority: Critical
- Trigger alerts for:
- Changes to environment variables related to CLI execution
- Unexpected shell command activity from CLI or SDK processes
- Anomalous command patterns indicating injection attempts
Remediation & Response
- Remediation Timeline:
- Immediate: Update to patched versions (Claude Code 2.1.92+ and Agent SDK 0.1.56+)
- Short term: Restrict local access and control environment variable usage
- Follow-up: Ensure no affected versions remain in use
- Rollback Plan:
- Revert to a previous setup if issues occur after the update
- Reapply controls on environment variable handling and access restrictions
- Incident Response Considerations:
- Monitor systems for unexpected command execution activity
- Review logs for misuse of the TERMINAL environment variable
- Check for signs of unauthorized access, credential exposure, or data impact
- Strengthen monitoring to detect abnormal CLI or SDK behavior
References:
