CVE-2026-31862

Name of the Vulnerable Software and Affected Versions Cloud CLI versions prior to 1.24.0

Description Cloud CLI (also known as Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Multiple Git-related API endpoints utilize execAsync() with string interpolation of user-controlled parameters – specifically file, branch, message, and commit – enabling authenticated attackers to execute arbitrary operating system commands. The application attempts to escape double quotes in some parameters, but this protection can be bypassed using shell metacharacters like command substitution ($(command) or command) and command chaining (; , &&, ||). The following API endpoints are affected: /api/git/diff (with the file parameter), /api/git/status (with the file parameter), /api/git/commit (with the files array and message parameter), /api/git/checkout (with the branch parameter), /api/git/create-branch (with the branch parameter), /api/git/commits (with the commit parameter), /api/git/commit-diff (with the commit parameter), /api/git/file-with-diff (with the file parameter), /api/git/generate-commit-message (with the file parameter), /api/git/discard (with the file parameter), and /api/git/publish (with the branch parameter). Successful exploitation could lead to remote code execution as the Node.js process user, potentially resulting in full server compromise and data exfiltration.

Recommendations Update Cloud CLI to version 1.24.0 or later.