Anthropic Claude Code Critical OS Command Injection Vulnerability

Overview

• Product: CVE-2026-35022

• Severity: Critical

• CVSS: 9.3

• Date: 7 April 2026

Anthropic has disclosed a critical vulnerability affecting Claude Code CLI and Claude Agent SDK. The issue allows command injection via authentication helper configuration, which may enable attackers to execute arbitrary commands and access sensitive credentials. Helper configuration values are executed with shell=true and without input validation, which can allow shell metacharacter injection through parameters such as apiKeyHelper,awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh.

Affected Versions

• Claude Code: ≤ 2.1.91

• Claude Agent SDK for Python: ≤ 0.1.55

  
  

Vulnerability Breakdown

CVE-2026-35022 - OS Command Injection via Authentication Helper Execution

• Severity: Critical

• CVSS: 9.3

• Description: Authentication helper values can be executed in a shell context without sufficient sanitisation. If an attacker can influence authentication settings, shell metacharacters may be injected and arbitrary commands may run.

• Impact: Successful exploitation may allow arbitrary command execution in the context of the affected user or automation environment. This can lead to credential theft, environment variable exfiltration and broader compromise of developer workstations or CI/CD runners.

• Conditions: The attacker must be able to influence authentication helper settings or related configuration values used by Claude Code or the Claude Agent SDK.

• Notes: Risk is especially serious in automation and CI/CD environments where sensitive tokens, cloud credentials and build artefacts may be exposed.

  
  

Mitigation

• Update Claude Code and the Claude Agent SDK for Python to the latest vendor-fixed release as a priority.

• Review authentication helper settings and remove or restrict helper-based execution where it is not required.

• Prefer environment variables for credentials where operationally appropriate instead of helper execution.

• Review .claude/settings.json and related configuration changes during code review.

• Treat CI/CD and repository configuration changes as security-sensitive and restrict who can modify them.

• Monitor developer and automation environments for signs of credential misuse or unauthorised command execution.

  
  

Summary for IT Teams

• Products: Anthropic Claude Code, Claude Agent SDK for Python

• Threat Level: Critical, CVSS 9.3

• Action Required: Patch affected versions immediately, review authentication helper configurations, and scrutinise CI/CD or repository settings that could be influenced by untrusted contributors.

  
  

Reference

• VulnCheck - Anthropic Claude Code & Agent SDK OS Command Injection via Authentication Helper

• Phoenix Security - Claude Code CLI: 3 Command Injection Flaws and CI/CD Risk

  
  

Need Help?

If your organisation needs assistance assessing exposure, validating configurations or prioritising remediation, contact us on 1300 769 460. We are here to help strengthen your cybersecurity posture.