CVE-2026-35022

• Entity ID: ent-20260419-a1b2c3d4e502
• Type: issue
• Scope: shared
• Status: active
• Aliases: auth.ts credential helper injection, apiKeyHelper exfiltration

Description

Unpatched credential exfiltration vulnerability in auth.ts credential-helper path; rated 7.8 standalone but escalates to 9.9 in CI/CD contexts using '-p' (headless) mode where no user interaction is required. Attacker writes a malicious .claude/settings.json with a crafted apiKeyHelper containing an exfiltration command; when CC resolves credentials it executes the helper, which in the confirmed PoC variant also exfiltrates MEMORY.md conversation history over HTTP. Four PoC variants all returned CALLBACK_CONFIRMED/PASS on v2.1.91. Closed 'Informative' by Anthropic VDP.

Key claims

• Three CVEs on v2.1.91 chain into no-click credential+MEMORY.md exfiltration
• All five known Claude Code CVEs share CWE-78 (OS command injection via unsanitized string interpolation)
• Anthropic declined to patch TERMINAL/apiKeyHelper chain, citing 'controlling TERMINAL implies code execution'

Relations

• CVE-2026-35022 --[contains]--> Phoenix Security Kill Chain
• Anthropic VDP 'Informative' Disposition --[blocks]--> CVE-2026-35022
• Jonny Teardown --[related_to]--> CVE-2026-35022

Sources

src-20260409-f5e09e325670