CVE-2026-35020

• Entity ID: ent-20260419-a1b2c3d4e501
• Type: issue
• Scope: shared
• Status: active
• Aliases: which.ts command injection, TERMINAL env injection

Description

Unpatched critical (CVSS 8.4) command injection in Claude Code's which.ts command-lookup path. User-controlled TERMINAL environment variable flows through the CLI's deep-link handler into a shell invocation with no sanitization; zero user interaction required. Eight documented environment-injection vectors: .env files, CI/CD pipeline variables, IDE workspace settings, Docker ENV directives, Kubernetes ConfigMaps, SSH SendEnv forwarding, systemd unit Environment= directives, and dotfile manager profile modifications. Validated on v2.1.91 (April 3, 2026). Anthropic closed as 'Informative' in VDP.

Key claims

• Three CVEs on v2.1.91 chain into no-click credential+MEMORY.md exfiltration
• All five known Claude Code CVEs share CWE-78 (OS command injection via unsanitized string interpolation)
• Anthropic declined to patch TERMINAL/apiKeyHelper chain, citing 'controlling TERMINAL implies code execution'

Relations

• CVE-2026-35020 --[contains]--> Phoenix Security Kill Chain
• Phoenix Security Kill Chain --[depends_on]--> CVE-2026-35020
• Anthropic VDP 'Informative' Disposition --[blocks]--> CVE-2026-35020
• Jonny Teardown --[related_to]--> CVE-2026-35020

Sources

src-20260409-f5e09e325670