{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/anthropic/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-35022"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","cve-2026-35022","anthropic","claude"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Anthropic Claude Code CLI and Claude Agent SDK are vulnerable to OS command injection (CVE-2026-35022). This vulnerability stems from the insecure execution of authentication helper configuration values. Specifically, the application executes commands using \u003ccode\u003eshell=true\u003c/code\u003e without proper input validation on parameters such as \u003ccode\u003eapiKeyHelper\u003c/code\u003e, \u003ccode\u003eawsAuthRefresh\u003c/code\u003e, \u003ccode\u003eawsCredentialExport\u003c/code\u003e, and \u003ccode\u003egcpAuthRefresh\u003c/code\u003e. An attacker who can manipulate these authentication settings can inject shell metacharacters to execute arbitrary commands with the privileges of the user or automation environment running the Claude CLI or SDK. This can lead to credential theft and the exfiltration of sensitive environment variables. Defenders should focus on detecting attempts to modify authentication settings or the execution of commands originating from the Claude CLI or SDK with suspicious arguments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to the configuration settings of the Anthropic Claude Code CLI or Claude Agent SDK. This could be achieved through compromised credentials or a separate vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eapiKeyHelper\u003c/code\u003e, \u003ccode\u003eawsAuthRefresh\u003c/code\u003e, \u003ccode\u003eawsCredentialExport\u003c/code\u003e, or \u003ccode\u003egcpAuthRefresh\u003c/code\u003e parameters within the authentication configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker injects shell metacharacters (e.g., \u003ccode\u003e;\u003c/code\u003e, \u003ccode\u003e|\u003c/code\u003e, \u003ccode\u003e\u0026amp;\u0026amp;\u003c/code\u003e) into these parameters, crafting malicious commands.\u003c/li\u003e\n\u003cli\u003eThe Claude CLI or SDK attempts to authenticate, executing the configured helper command using \u003ccode\u003eshell=true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected shell metacharacters cause the operating system to execute the attacker\u0026rsquo;s malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s commands steal credentials stored on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s commands exfiltrate sensitive environment variables to an external server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials and environment variables to gain further access to the victim\u0026rsquo;s systems or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35022 allows attackers to execute arbitrary commands on the system running the Anthropic Claude Code CLI or Claude Agent SDK. This can lead to the theft of sensitive credentials, such as API keys and AWS credentials, and the exfiltration of environment variables containing sensitive information. The impact includes unauthorized access to cloud resources, data breaches, and potential supply chain compromise if the compromised environment is used for software development or deployment. The scope of the impact depends on the permissions of the user or automation environment running the vulnerable software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for suspicious commands originating from the Claude CLI or SDK with command-line arguments containing shell metacharacters. Implement the Sigma rule \u0026ldquo;Detect Claude CLI/SDK Command Injection via Shell Metacharacters\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit who can modify the configuration settings of the Claude CLI or SDK.\u003c/li\u003e\n\u003cli\u003eRegularly audit the configuration settings of the Claude CLI or SDK for any unauthorized changes.\u003c/li\u003e\n\u003cli\u003ePatch CVE-2026-35022 as soon as a patch is available from Anthropic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T20:16:25Z","date_published":"2026-04-06T20:16:25Z","id":"/briefs/2026-04-claude-command-injection/","summary":"CVE-2026-35022 describes an OS command injection vulnerability in the Anthropic Claude Code CLI and Claude Agent SDK that allows attackers with control over authentication settings to execute arbitrary commands, potentially leading to credential theft and environment variable exfiltration.","title":"Anthropic Claude Code CLI/SDK OS Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-claude-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-35021"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-35021","command-injection","anthropic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Anthropic Claude Code CLI and Claude Agent SDK are susceptible to an OS command injection vulnerability, as detailed in CVE-2026-35021. This flaw stems from the insufficient sanitization of file paths within the prompt editor invocation utility. An attacker can exploit this vulnerability by injecting shell metacharacters into file paths, which are then interpolated into shell commands executed using \u003ccode\u003eexecSync\u003c/code\u003e. The use of double quotes around the file path does not prevent command substitution, enabling attackers to execute arbitrary commands with the privileges of the user running the CLI, creating a high-risk scenario for compromised systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious file path containing shell metacharacters (e.g., \u003ccode\u003e$()\u003c/code\u003e, backticks).\u003c/li\u003e\n\u003cli\u003eThe malicious file path is provided as input to the Anthropic Claude Code CLI or Agent SDK, specifically targeting the prompt editor invocation utility.\u003c/li\u003e\n\u003cli\u003eThe application interpolates the attacker-controlled file path into a shell command.\u003c/li\u003e\n\u003cli\u003eThe shell command, now containing the injected payload, is executed via the \u003ccode\u003eexecSync\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe shell interprets the injected metacharacters, triggering command substitution.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s injected commands are executed with the privileges of the user running the CLI or SDK.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary commands on the affected system. This could lead to complete system compromise, data exfiltration, or deployment of malicious payloads such as ransomware. Due to the nature of the vulnerability, any system utilizing the Claude Code CLI or Agent SDK is potentially at risk if it processes untrusted file paths.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Claude CLI/Agent SDK Command Execution\u003c/code\u003e to identify potential command injection attempts via process creation logs.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for command line arguments containing shell metacharacters being passed to processes spawned by the Claude CLI or Agent SDK using the \u003ccode\u003eProcess Creation with Shell Metacharacters\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates released by Anthropic to address CVE-2026-35021 once they are available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T20:16:25Z","date_published":"2026-04-06T20:16:25Z","id":"/briefs/2026-04-claude-code-cmd-injection/","summary":"The Anthropic Claude Code CLI and Claude Agent SDK are vulnerable to OS command injection via crafted file paths, allowing arbitrary command execution.","title":"Anthropic Claude Code CLI/Agent SDK OS Command Injection Vulnerability (CVE-2026-35021)","url":"https://feed.craftedsignal.io/briefs/2026-04-claude-code-cmd-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Anthropic","version":"https://jsonfeed.org/version/1.1"}