CVE-2026-35022 - Vulnerability Analysis

Overview

Anthropic Claude Code CLI and Claude Agent SDK contain a command injection caused by execution of authentication helper configuration values with shell=true without input validation, letting attackers who influence authentication settings execute arbitrary OS commands, exploit requires attacker control over authentication parameters.

Severity & Score

Impact

Attackers can execute arbitrary OS commands with user or automation environment privileges, leading to credential theft and environment variable exfiltration.

Mitigation

Update to the latest version with input validation for authentication helper execution.

References

• https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-authentication-helper
• https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner