Description
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the command lookup helper and deep-link terminal launcher that allows local attackers to execute arbitrary commands by manipulating the TERMINAL environment variable. Attackers can inject shell metacharacters into the TERMINAL variable which are interpreted by /bin/sh when the command lookup helper constructs and executes shell commands with shell=true. The vulnerability can be triggered during normal CLI execution as well as via the deep-link handler path, resulting in arbitrary command execution with the privileges of the user running the CLI.
Published: 2026-04-06
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary command execution
Action: Immediate patch
AI Analysis

Impact

Anthropic’s Claude Code CLI and Claude Agent SDK for Python contain an OS command injection flaw that is triggered by manipulating the TERMINAL environment variable. When the command lookup helper or deep‑link terminal launcher constructs and executes shell commands with /bin/sh, any shell metacharacters injected into TERMINAL are interpreted, allowing a local attacker to run arbitrary commands. The flaw is a classic CWE‑78 weakness and can lead to execution of shell commands with the privileges of the user running the CLI, potentially compromising credentials and system integrity.

Affected Systems

The vulnerability affects all versions of Anthropic’s Claude Code CLI and the Claude Agent SDK for Python where the command lookup helper and deep‑link terminal launcher are present. No specific version numbers are listed, implying that all current releases are susceptible.

Risk and Exploitability

With a CVSS score of 8.6 the flaw is considered high severity. Exploitation requires local access sufficient to set environment variables before invoking the CLI or deep‑link handler, meaning any user with such access can mount a successful attack. The EPSS score is unavailable, and the vulnerability is not currently listed in the CISA KEV catalog, but the lack of a patch and the local nature of the attack suggest that organizations running these tools should treat the risk as serious and seek remediation promptly.

Generated by OpenCVE AI on April 7, 2026 at 01:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor‑supplied patch that removes the vulnerability from the CLI and SDK.
  • If a patch is unavailable, permanently unset or sanitize the TERMINAL environment variable before invoking the Claude CLI or deep‑link handler.
  • Restrict execution of the CLI to trusted users or environments with strict access controls.
  • Monitor system logs for unexpected command execution patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on April 7, 2026 at 01:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Agent Sdk For Python
Anthropic claude Code
Vendors & Products Anthropic
Anthropic claude Agent Sdk For Python
Anthropic claude Code

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the command lookup helper and deep-link terminal launcher that allows local attackers to execute arbitrary commands by manipulating the TERMINAL environment variable. Attackers can inject shell metacharacters into the TERMINAL variable which are interpreted by /bin/sh when the command lookup helper constructs and executes shell commands with shell=true. The vulnerability can be triggered during normal CLI execution as well as via the deep-link handler path, resulting in arbitrary command execution with the privileges of the user running the CLI.
Title Anthropic Claude Code & Agent SDK OS Command Injection via TERMINAL Environment Variable
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Agent Sdk For Python Claude Code
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T20:22:29.141Z

Reserved: 2026-03-31T20:40:15.618Z

Link: CVE-2026-35020

cve-icon Vulnrichment

Updated: 2026-04-06T20:22:18.467Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T20:16:24.863

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35020

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:44Z

Weaknesses