CVE-2026-35022
🔴 Łataj teraz
Wstrzyknięcie poleceń w Anthropic Claude umożliwia wykonanie dowolnych komend przez atakujących.
CVSS
9.8
EPSS
0.5%
Exploit
poc
Vendor
anthropic
Opis źródłowy (NVD)
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh to execute arbitrary commands with the privileges of the user or automation environment, enabling credential theft and environment variable exfiltration.
exploit rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.5% |
| Opublikowano (NVD) | 2026-04-06 20:16:25 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-29 19:00:04 UTC |
Referencje
- https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/ (disclosure@vulncheck.com) [Exploit, Third Party Advisory]
- https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-authentication-helper (disclosure@vulncheck.com) [Third Party Advisory]