Description
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the prompt editor invocation utility that allows attackers to execute arbitrary commands by crafting malicious file paths. Attackers can inject shell metacharacters such as $() or backtick expressions into file paths that are interpolated into shell commands executed via execSync. Although the file path is wrapped in double quotes, POSIX shell semantics (POSIX §2.2.3) do not prevent command substitution within double quotes, allowing injected expressions to be evaluated and resulting in arbitrary command execution with the privileges of the user running the CLI.
Published: 2026-04-06
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary command execution via injected shell metacharacters
Action: Immediate Patch
AI Analysis

Impact

Anthropic Claude Code CLI and Claude Agent SDK expose a prompt editor function that builds shell commands with file paths supplied by the user. By inserting shell metacharacters such as $() or backticks into these paths, an attacker can cause the underlying execSync call to perform command substitution and execute arbitrary shell commands. The vulnerability allows full control of the operating system with the same privileges as the user running the CLI, enabling credential theft, data exfiltration or further system compromise.

Affected Systems

The flaw affects the Anthropic Claude Agent SDK for Python and the Anthropic Claude Code CLI. All publicly released versions prior to the fix are vulnerable; the vendor has not listed specific version ranges, so users of any older releases should consider themselves at risk.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. Although EPSS data is not available, the attack requires only that an attacker can run the CLI on a target machine, a common scenario in CI/CD pipelines or local development environments. The vulnerability is not yet listed in CISA’s KEV catalog, but the potential for remote code execution in automated workflows makes it a prime target for exploitation. Both the scope and impact emphasize local code execution that can lead to full system compromise if the user has elevated rights.

Generated by OpenCVE AI on April 7, 2026 at 01:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Anthropic Claude Agent SDK for Python to the latest released version that contains the vendor fix.
  • Upgrade the Anthropic Claude Code CLI to the patched release as soon as possible.
  • If an immediate upgrade is not feasible, limit execution of the CLI to trusted users and audit any file path inputs for suspicious characters.
  • Monitor vendor advisories and security channels for additional guidance or temporary workarounds.

Generated by OpenCVE AI on April 7, 2026 at 01:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Agent Sdk For Python
Anthropic claude Code
Vendors & Products Anthropic
Anthropic claude Agent Sdk For Python
Anthropic claude Code

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the prompt editor invocation utility that allows attackers to execute arbitrary commands by crafting malicious file paths. Attackers can inject shell metacharacters such as $() or backtick expressions into file paths that are interpolated into shell commands executed via execSync. Although the file path is wrapped in double quotes, POSIX shell semantics (POSIX §2.2.3) do not prevent command substitution within double quotes, allowing injected expressions to be evaluated and resulting in arbitrary command execution with the privileges of the user running the CLI.
Title Anthropic Claude Code & Agent SDK OS Command Injection via promptEditor.ts
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Agent Sdk For Python Claude Code
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T15:10:32.217Z

Reserved: 2026-03-31T20:40:15.618Z

Link: CVE-2026-35021

cve-icon Vulnrichment

Updated: 2026-04-07T15:07:28.303Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T20:16:25.067

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35021

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:42Z

Weaknesses