CVE-2026-35020 - Vulnerability Analysis
HighCVSS: 8.4Last Updated: April 6, 2026
Anthropic Claude Code CLI & Claude Agent SDK - Command Injection
Published: April 6, 2026Updated: April 6, 2026
Overview
Anthropic Claude Code CLI and Claude Agent SDK contain a command injection caused by improper handling of the TERMINAL environment variable in the command lookup helper and deep-link terminal launcher, letting local attackers execute arbitrary commands with user privileges, exploit requires local access.
Severity & Score
Severity: High
CVSS Score: 8.4
Impact
Local attackers can execute arbitrary commands with the privileges of the user running the CLI, potentially leading to full system compromise.
Mitigation
Update to the latest version with the vulnerability fixed.
References
Related Resources
Details
- CVE ID
- CVE-2026-35020
- Severity
- High
- CVSS Score
- 8.4
- Type
- command_injection
- Status
- new
CWE
- CWE-78
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H