Anthropic Claude Code leak reveals critical command-injection flaws — patch now

April 19, 2026
aisecuritylawopen-source
A laptop screen showing programming code and debugging tools, ideal for tech topics.
Photo by Daniil Komov on Pexels

What happened

It has been reported that analysis of a leaked copy of Anthropic’s Claude Code agent revealed three critical command-injection vulnerabilities affecting the CLI, agent, and SDK. The flaws, collectively tracked as CVE-2026-35022 with a CVSS score of 9.8, allegedly let attackers execute arbitrary shell commands by abusing how the tool handles environment variables, file paths, and authentication helpers. Short version: bad input gets turned into executed code. Yikes.

Why it matters

These aren’t theoretical bugs. Successful exploitation allegedly allows attackers to siphon off environment variables — think cloud IAM roles and deployment keys — or run lateral-movement tooling inside corporate networks. Even worse: the authentication helpers run before the agent’s security sandbox, so they bypass built-in permission checks and dangerous-pattern blocking. In automated CI/CD setups a single malicious pull request could trigger what security teams are calling Poisoned Pipeline Execution. Sound familiar? It’s the same nightmare scenario supply-chain defenders have fought since SolarWinds.

Affected versions and immediate risk

Anthropic says the flaws affect the CLI version 0.2.87 and Claude Code version 2.1.87. If you’re running either, assume risk. The practical danger is high: non-interactive CI runs, fork-contributed workspaces, or any automation that runs the CLI against untrusted PRs can be used as an execution vector. Who wants to wake up to a compromised build farm? Nobody.

What to do now

Update immediately to the latest fixed release and stop using the authentication helpers. Instead, set ANTHROPIC_API_KEY directly in the environment to avoid the vulnerable execution path. Review any .claude/settings.json changes in pull requests with the same scrutiny you give code changes. Audit CI/CD pipelines so the CLI is never run against untrusted PRs or fork workspaces in non-interactive mode. Longer-term fixes should replace shell-string execution with argv-based process spawning and implement strict metacharacter rejection for configuration-sourced strings. Act fast — this one bites hard.

Sources: beyondmachines.net, Lobsters