CVE-2026-35022

Name of the Vulnerable Software and Affected Versions Anthropic Claude Code CLI and Claude Agent SDK (affected versions not specified)

Description Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection issue in authentication helper execution. Helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh to execute arbitrary commands with the privileges of the user or automation environment. This can lead to credential theft and environment variable exfiltration.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.