Description
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh to execute arbitrary commands with the privileges of the user or automation environment, enabling credential theft and environment variable exfiltration.
Published: 2026-04-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the authentication helper of Anthropic Claude Code CLI and Claude Agent SDK for Python. The helper executes configuration values with shell=True and performs no input validation. When an attacker can influence authentication settings, they can insert shell metacharacters into parameters such as apiKeyHelper, awsAuthRefresh, awsCredentialExport, or gcpAuthRefresh, allowing arbitrary shell commands to run with the privileges of the user or automation environment, leading to credential theft and exfiltration of environment variables.

Affected Systems

The affected products are Anthropic Claude Code CLI and Anthropic Claude Agent SDK for Python. No specific product versions are provided, so all recent releases that include the authentication helper are potentially impacted.

Risk and Exploitability

The CVSS score of 9.3 indicates a severe risk. While EPSS data is unavailable and the vulnerability is not listed in the KEV catalog, the lack of input validation and ability to execute arbitrary commands make it highly valuable to attackers. Exploitation requires the ability to modify authentication helper settings, which could be achieved through compromised credentials or privileged access to configuration files. Once an attacker controls the input, they can run arbitrary commands with elevated privileges.

Generated by OpenCVE AI on April 7, 2026 at 01:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether Anthropic has released a patched version of Claude Code CLI or Claude Agent SDK that removes the unsafe shell execution.
  • If no patch is available, disable or remove the insecure authentication helper configuration to prevent arbitrary command execution.
  • Apply strict input validation or sanitization to any parameters used in helper configuration, ensuring they are not passed to the shell.
  • Monitor runtime environments for unexpected shell activity and enforce least privilege on the accounts that run the SDK.

Generated by OpenCVE AI on April 7, 2026 at 01:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Agent Sdk For Python
Anthropic claude Code
Vendors & Products Anthropic
Anthropic claude Agent Sdk For Python
Anthropic claude Code

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh to execute arbitrary commands with the privileges of the user or automation environment, enabling credential theft and environment variable exfiltration.
Title Anthropic Claude Code & Agent SDK OS Command Injection via Authentication Helper
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Agent Sdk For Python Claude Code
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T16:16:24.001Z

Reserved: 2026-03-31T20:40:15.618Z

Link: CVE-2026-35022

cve-icon Vulnrichment

Updated: 2026-04-07T16:16:20.878Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T20:16:25.260

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35022

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:41Z

Weaknesses