CVE-2026-35020
published 2026-04-06CVE-2026-35020: Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the command lookup helper and deep-link terminal launcher that…
PriorityP346high8.6CVSS 4.0
AVLACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the command lookup helper and deep-link terminal launcher that allows local attackers to execute arbitrary commands by manipulating the TERMINAL environment variable. Attackers can inject shell metacharacters into the TERMINAL variable which are interpreted by /bin/sh when the command lookup helper constructs and executes shell commands with shell=true. The vulnerability can be triggered during normal CLI execution as well as via the deep-link handler path, resulting in arbitrary command execution with the privileges of the user running the CLI.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anthropic | claude_agent_sdk | <= 0.1.55 | — |
| anthropic | claude_agent_sdk_for_python | <= 0.1.55 | — |
| anthropic | claude_code | <= 2.1.91 | — |
| anthropic | claude_code | <= 2.1.91 | — |
CVSS provenance
nvdv4.08.6HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv58.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Anthropic Claude Code/Claude Agent SDK for Python Environment Variable TERMINAL os command injection (EUVD-2026-19438)
vuldb·2026-06-01
CVE-2026-35020 [CRITICAL] Anthropic Claude Code/Claude Agent SDK for Python Environment Variable TERMINAL os command injection (EUVD-2026-19438)
Further investigation has shown that this issues is a false-positive. Please review the sources mentioned and consider not using this entry at all.
CVEList
Anthropic Claude Code & Agent SDK OS Command Injection via TERMINAL Environment Variable
cvelistv5·2026-04-06·CVSS 8.6
CVE-2026-35020 [HIGH] CWE-78 Anthropic Claude Code & Agent SDK OS Command Injection via TERMINAL Environment Variable
Anthropic Claude Code & Agent SDK OS Command Injection via TERMINAL Environment Variable
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the command lookup helper and deep-link terminal launcher that allows local attackers to execute arbitrary commands by manipulating the TERMINAL environment variable. Attackers can inject shell metacharacters into the TERMINAL variable which are interpreted by /bin/sh when the command lookup helper constructs and executes shell commands with shell=true. The vulnerability can be triggered during normal CLI execution as well as via the deep-link handler path, resulting in arbitrary command execution with the privileges of the user running the CLI.
GHSA
GHSA-jgg3-qqhf-7rx7: Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the command lookup helper and deep-link terminal launc
ghsa_unreviewed·2026-04-06
CVE-2026-35020 [HIGH] CWE-78 GHSA-jgg3-qqhf-7rx7: Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the command lookup helper and deep-link terminal launc
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the command lookup helper and deep-link terminal launcher that allows local attackers to execute arbitrary commands by manipulating the TERMINAL environment variable. Attackers can inject shell metacharacters into the TERMINAL variable which are interpreted by /bin/sh when the command lookup helper constructs and executes shell commands with shell=true. The vulnerability can be triggered during normal CLI execution as well as via the deep-link handler path, resulting in arbitrary command execution with the privileges of the user running the CLI.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-06
Published