Anthropic Claude OS Command Injection via shell=True Auth Helper
CVE-2026-35022 Published on April 6, 2026
Anthropic Claude Code & Agent SDK OS Command Injection via Authentication Helper
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh to execute arbitrary commands with the privileges of the user or automation environment, enabling credential theft and environment variable exfiltration.
Vulnerability Analysis
CVE-2026-35022 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2026-35022 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2026-35022
Want to know whenever a new CVE is published for Anthropic Claude Code? stack.watch will email you.
Affected Versions
Anthropic Claude Code:- Before and including 2.1.91 is affected.
- Before and including 0.1.55 is affected.