Attack Chain

1. A malicious actor crafts a directory name containing the string ''' followed by arbitrary Python code and another ''' to close the string.
2. The attacker delivers the hostile directory to the victim’s filesystem via any means (e.g., git clone, archive extraction, npm package installation, downloaded zip file).
3. The victim has tools/quota-statusline.sh configured as the statusLine hook in their Claude Code settings as recommended.
4. The victim navigates into the directory containing the hostile path using the cd command in their shell. This can also occur if a project or workspace is opened from the hostile path.
5. Claude Code’s statusline hook is triggered upon every statusline redraw, which happens frequently.
6. The tools/quota-statusline.sh script executes, interpolating the user-controlled directory path into the Python command.
7. The malicious payload injected via the directory name is executed as Python code within the context of the user’s Claude Code process.
8. The attacker gains local code execution with the privileges of the user running Claude Code, allowing them to access files, SSH keys, and other sensitive data.

Impact

Successful exploitation of this vulnerability leads to local code execution with the privileges of the user running Claude Code. An attacker can gain access to the user’s files, SSH keys, and other sensitive credentials. This can lead to complete compromise of the user’s local environment and potentially lateral movement to other systems if credentials are reused. Users who followed the recommended setup instructions in the v3.5.0 README are particularly at risk.

Recommendation

• Upgrade to claude-code-cache-fix version 3.5.2 or later to remediate CVE-2026-45136.
• Disable the statusline by removing the statusLine entry from ~/.claude/settings.json as a temporary workaround.
• Deploy the Sigma rule “Detect Python Code Injection via quota-statusline.sh (CVE-2026-45136)” to your SIEM to detect potential exploitation attempts.