Anthropic — Three OS command injection vulnerabilities in Claude Code CLI and Agent SDK

AI relevance: Claude Code CLI and Agent SDK are Anthropic's flagship developer tools for AI-assisted coding, making command injection vulnerabilities particularly dangerous as they can compromise development environments, CI/CD pipelines, and expose sensitive credentials.

• CVE-2026-35020 — OS command injection via TERMINAL environment variable manipulation
• CVE-2026-35021 — Command injection through malicious file paths in prompt editor
• CVE-2026-35022 — Shell metacharacter injection allowing arbitrary command execution
• All three vulnerabilities share the same root cause in command parsing logic
• CVSS scores range from 7.8 to 9.8 (Critical) depending on attack vector
• Vulnerabilities enable full credential exfiltration from CI/CD pipelines
• Affects Claude Code CLI versions 0.8.0 through 1.2.3
• Also impacts Claude Agent SDK versions 2.1.0 through 2.4.1
• Phoenix Security confirmed all three vulnerabilities with runtime proof-of-concept
• Anthropic has released patches in Claude Code CLI 1.2.4 and Agent SDK 2.4.2

Why it matters

AI coding assistants like Claude Code operate with significant system access to read codebases, edit files, and execute commands. When these tools contain command injection vulnerabilities, attackers can compromise development environments, steal credentials, manipulate code, and gain persistence in software supply chains. The non-interactive nature of CI/CD usage makes these vulnerabilities particularly dangerous as there are no human oversight mechanisms to catch malicious command execution.

What to do

• Immediately update Claude Code CLI to version 1.2.4+ and Agent SDK to 2.4.2+
• Audit CI/CD pipelines for Claude Code usage and review recent command history
• Implement command allowlisting rather than denylisting for AI tool permissions
• Use sandboxed execution environments for all AI-assisted coding operations
• Monitor for anomalous command patterns in development workflows
• Rotate credentials that may have been exposed through compromised CI/CD systems
• Review network egress patterns from development environments
• Implement runtime protection to detect command injection attempts
• Educate developers on secure AI tool configuration and risk awareness

Sources

• Phoenix Security — Claude Code Vulnerabilities Chain Analysis
• The Hacker Wire — Anthropic Claude CLI/SDK OS Command Injection
• CVE Feed — CVE-2026-35020 Details
• Tenable — CVE-2026-35021 Details
• Claude Code CLI Release — v1.2.4 Security Fix