CVE-2026-35021

HIGH 7.8

Anthropic Claude Code & Agent SDK OS Command Injection via promptEditor.ts

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

10th

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the prompt editor invocation utility that allows attackers to execute arbitrary commands by crafting malicious file paths. Attackers can inject shell metacharacters such as $() or backtick expressions into file paths that are interpolated into shell commands executed via execSync. Although the file path is wrapped in double quotes, POSIX shell semantics (POSIX §2.2.3) do not prevent command substitution within double quotes, allowing injected expressions to be evaluated and resulting in arbitrary command execution with the privileges of the user running the CLI.

CWE	CWE-78
Vendor	anthropic
Product	claude code
Published	Apr 6, 2026
Last Updated	Apr 13, 2026

Stay Ahead of the Next One

Get instant alerts for anthropic claude code

Be the first to know when new high vulnerabilities affecting anthropic claude code are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Anthropic / Claude Code

0 ≤ 2.1.91

Anthropic / Claude Agent SDK for Python

0 ≤ 0.1.55

References

NVD ↗ CVE.org ↗ EPSS Data ↗

phoenix.security: https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/ vulncheck.com: https://www.vulncheck.com/advisories/anthropic-claude-code-agent-sdk-os-command-injection-via-prompteditor-ts

Credits

Francesco Cipollone