Anthropic VDP 'Informative' Disposition
- Entity ID:
ent-20260419-a1b2c3d4e511 - Type:
decision - Scope:
shared - Status:
active - Aliases: VDP Informative closure, controlling TERMINAL rationale
Description
Anthropic Vulnerability Disclosure Program disposition closing CVE-2026-35020 and CVE-2026-35022 as 'Informative' — meaning no fix is planned. Stated rationale: 'controlling TERMINAL implies existing code execution.' Phoenix Security rebuttal: eight documented environment-injection vectors (.env files, CI/CD vars, IDE workspace settings, Docker ENV, K8s ConfigMaps, SSH SendEnv, systemd Environment=, dotfile managers) do not require pre-existing code execution; git's credential helper — Anthropic's own analogy — has produced seven CVEs since 2020 for the same vulnerability class and git added protections each time. Precedent for a durable architectural disagreement between Anthropic and ecosystem security researchers.
Key claims
- Anthropic declined to patch TERMINAL/apiKeyHelper chain, citing 'controlling TERMINAL implies code execution'
Relations
- Anthropic VDP 'Informative' Disposition --[blocks]--> CVE-2026-35020
- Anthropic VDP 'Informative' Disposition --[blocks]--> CVE-2026-35022