Summary
CVE-2026-35022 is a critical OS command injection vulnerability in Anthropic Claude Code CLI and Claude Agent SDK, caused by the execution of authentication helper configurations with shell interpretation and no input validation. Attackers who can influence these settings can inject commands via parameters like apiKeyHelper and cloud credential helpers, leading to arbitrary command execution, credential theft, and data exfiltration, particularly in CI/CD environments where such configurations may be externally controlled.
Urgent Actions Required
- Update CLI (>2.1.91) and SDK (>0.1.55).
- Disable authentication helpers; use environment variables instead.
- Restrict and review .claude/settings.json changes, especially in PRs.
- Avoid running the CLI against untrusted repositories or external contributions in CI/CD environments.
- Audit authentication helper values for any unexpected or unsafe inputs.
Which Systems Are Vulnerable to CVE-2026-35022?
Technical Overview
- Vulnerability Type: OS Command Injection (CWE-78)
- Affected Software/Versions:
- Claude Code CLI: up to 2.1.91
- Claude Agent SDK for Python: up to 0.1.55
- CVSS Vector: v3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability: Yes, available
How Does the CVE-2026-35022 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2026-35022?
Vulnerability Root Cause:
This issue arises from the unsafe handling of authentication helper configurations in Claude Code CLI and Agent SDK. The application executes helper parameters such as apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh using shell=true without validating input. Attackers can inject shell characters into configs, enabling command execution with user privileges, leading to credential theft and environment variable exposure.
How Can You Mitigate CVE-2026-35022?
If immediate patching is delayed or not possible:
- Stop using authentication helper configurations such as apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh.
- Set the ANTHROPIC_API_KEY directly as an environment variable instead of relying on helper execution.
- Review and restrict changes to .claude/settings.json, especially in pull requests.
- Avoid running the CLI in CI/CD pipelines against untrusted repositories or external contributions.
- Audit authentication helper values for unexpected content or shell metacharacters.
- Restrict and review access to Claude Code configuration files.
Which Assets and Systems Are at Risk?
- Asset Types Affected:
- Claude Code CLI deployments, especially versions ≤ 2.1.91
- Claude Agent SDK for Python environments, especially versions ≤ 0.1.55
- Development and automation environments where authentication helpers are configured
- Business-Critical Systems at Risk:
- CI/CD pipelines where configuration can be modified through repositories or pull requests
- Cloud environments using AWS or GCP credentials handled via authentication helpers
- Developer workstations running the CLI with access to sensitive environment variables
- Exposure Level:
- CI/CD environments where configuration files are repository-controlled
- Automated workflows running in non-interactive mode
- Environments where authentication helper parameters are enabled and not validated
Will Patching CVE-2026-35022 Cause Downtime?
Patch application impact: Low impact. Upgrade CLI (>2.1.91) and SDK (>0.1.55). Test before rollout.
Mitigation (if immediate patching is not possible): No downtime required. Disable authentication helpers, use environment variables, and restrict config changes. Reduces risk but does not fully fix the issue.
How Can You Detect CVE-2026-35022 Exploitation?
Exploitation Signatures:
Monitor for unusual child processes spawned by the Claude Code CLI, especially shell or network utilities. Activity involving environment variable access or external communication may indicate exploitation.
Indicators of Compromise (IOCs/IOAs):
- Child processes such as /sh, /bash, curl, wget, or nc triggered by the CLI
- Commands accessing environment variables (e.g., printenv, $AWS_SECRET, $ANTHROPIC_API_KEY)
- Authentication helper configurations containing unexpected values or shell metacharacters
Behavioral Indicators:
- Unexpected command execution from the Claude Code CLI process
- Environment variable access or export during execution
- Modifications in .claude configuration involving authentication helper parameters
Alerting Strategy:
- Priority: High
- Trigger alerts for:
- Suspicious child processes spawned by the CLI
- Attempts to read or exfiltrate environment variables
- Changes to authentication helper configurations with unusual content
Remediation & Response
- Remediation Timeline:
- Immediate: Stop using authentication helpers and review configuration files for unsafe values.
- As soon as possible: Upgrade Claude Code CLI to above version 2.1.91 and Agent SDK above 0.1.55.
- Post-update: Verify installed versions and ensure no vulnerable configurations remain in CI/CD or development environments.
- Rollback Plan:
- Revert to the previous version if needed and ensure authentication helpers remain disabled.
- Restrict and review configuration changes during rollback.
- Incident Response Considerations:
- Review .claude/settings.json changes, especially from pull requests.
- Audit CI/CD pipelines to ensure the CLI was not run against untrusted repositories.
- Monitor for unexpected child processes or environment variable access.
- Check for potential exposure of credentials such as API keys or cloud secrets.
Compliance & Governance Notes
- Audit Trail Requirement:
- Review .claude/settings.json changes, especially authentication helper parameters
- Monitor for suspicious child processes spawned by the Claude Code CLI
- Detect environment variable access and credential-related activity during execution
- Policy Alignment:
- Restrict modification of the Claude Code configuration files in repositories
- Review configuration changes in pull requests with the same scrutiny as code
- Avoid using authentication helpers; use environment variables instead
- Do not run the CLI against untrusted repositories or in non-interactive CI/CD environments
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.8 (Critical) | Critical severity indicating high impact and exploitability |
| Attack Vector | Network | Can be exploited remotely |
| Attack Complexity | Low | Does not require complex conditions |
| Privileges Required | None | No privileges required |
| User Interaction | None | No user action required |
| Scope | Unchanged | Impact remains within the vulnerable component |
| Confidentiality Impact | High | Can expose sensitive data such as credentials and environment variables |
| Integrity Impact | High | Allows execution of arbitrary commands affecting system integrity |
| Availability Impact | High | May impact system availability through command execution |
References:
