Anthropic Claude Code Leak Reveals Critical Command Injection Vulnerabilities

# Anthropic Claude Code Leak Reveals Critical Command Injection Vulnerabilities Source: [https://beyondmachines.net/event_details/anthropic-claude-code-leak-reveals-critical-command-injection-vulnerabilities-e-6-c-1-k/gD2P6Ple2L](https://beyondmachines.net/event_details/anthropic-claude-code-leak-reveals-critical-command-injection-vulnerabilities-e-6-c-1-k/gD2P6Ple2L) Take action: If you're using Claude Code, update immediately to the latest version and stop using authentication helpers\. Instead, set the ANTHROPIC\_API\_KEY environment variable directly\. Also, review any \.claude/settings\.json changes in pull requests as carefully as code changes, and never run the CLI against untrusted pull requests in CI/CD pipelines\. Analysis of the leakd Anthropic's Claude Code AI agent revealed three critical command injection vulnerabilities affecting the CLI, agent, and SDK\. These flaws allow attackers to run arbitrary commands and steal credentials by exploiting how the tool handles environment variables, file paths, and authentication helpers\. Vulnerabilities[summary](https://phoenix.security/critical-ci-cd-nightmare-3-command-injection-flaws-in-claude-code-cli-allow-credential-exfiltration/): All flaws are collectively reported as**CVE\-2026\-35022 \(CVSS score 9\.8\)** - **VULN\-01**\-A command injection vulnerability in the command lookup utility that occurs when the tool reads the TERMINAL environment variable\. The Node\.js runtime path interpolates this variable into a shell command string, allowing attackers to run arbitrary code by placing metacharacters in \.env files or CI/CD configs\. This flaw requires no user interaction and allows full access to the user's permission set\. - **VULN\-02 \-**A shell injection flaw in the editor invocation subsystem that triggers when processing crafted file paths\. The system places file paths inside double quotes within a shell string, but POSIX shell rules still evaluate command substitutions like $\(\) or backticks in this context\. Attackers can execute commands by creating files with malicious names in a repository that the user then opens with the CLI\. - **VULN\-03 \-**A command injection vulnerability in the authentication helper subsystem that allows for remote credential exfiltration\. The CLI executes helper commands from settings with full shell interpretation and skips trust dialogs in non\-interactive mode\. This allows attackers to steal AWS, GCP, and Anthropic API keys from CI/CD runners by modifying workspace settings via a pull request\. Successful exploitation allows attackers to move laterally through corporate networks or exfiltrate sensitive environment variables, including cloud IAM roles and deployment keys\. Because the authentication helpers run before the agent's security sandbox, they bypass all built\-in permission checks and dangerous\-pattern blocking\. In automated environments, these flaws enable Poisoned Pipeline Execution, where a single malicious pull request can compromise an entire software supply chain\. The vulnerabilities affect CLI version 0\.2\.87 and Claude Code version 2\.1\.87\. Users should immediately stop using authentication helpers and instead set the ANTHROPIC\_API\_KEY environment variable directly to bypass the vulnerable execution path\. Security teams should audit CI/CD pipelines to ensure the CLI does not run against untrusted pull requests or fork\-contributed workspaces in non\-interactive mode\. Anthropic recommends that developers review`\.claude/settings\.json`changes with the same level of scrutiny as code changes\. Future updates should replace shell\-string execution with argv\-based process spawning and implement strict metacharacter rejection for all configuration\-sourced strings\.