A code leak from Anthropic's Claude Code AI agent revealed three critical command injection vulnerabilities (CVE-2026-35022, CVSS 9.8) affecting CLI, agent, and SDK components. These flaws allow attackers to execute arbitrary commands and steal credentials through environment variables, file paths, and authentication helpers. Users are urged to update immediately and avoid using authentication helpers.
Background
Anthropic's Claude Code is an AI-powered coding assistant tool designed to help developers with code generation and analysis. Command injection vulnerabilities are a common security issue where attackers can execute arbitrary commands on a system through improperly sanitized inputs.
- Source
- Lobsters
- Published
- Apr 19, 2026 at 08:59 AM
- Score
- 9.0 / 10