Phoenix Security Kill Chain

• Entity ID: ent-20260419-a1b2c3d4e504
• Type: concept
• Scope: shared
• Status: active
• Aliases: three-CVE chain, TERMINAL-to-exfil chain

Description

Single exploitation chain linking CVE-2026-35020 (TERMINAL env injection, zero user interaction) -> write crafted .claude/settings.json with apiKeyHelper -> CVE-2026-35022 (credential + MEMORY.md exfiltration over HTTP). Demonstrates that the three independently-reported vulnerabilities compose into a no-click compromise of Claude Code sessions on v2.1.91.

Key claims

• Three CVEs on v2.1.91 chain into no-click credential+MEMORY.md exfiltration

Relations

• CVE-2026-35020 --[contains]--> Phoenix Security Kill Chain
• CVE-2026-35022 --[contains]--> Phoenix Security Kill Chain
• Phoenix Security Kill Chain --[depends_on]--> CVE-2026-35020
• Phoenix Security --[owns]--> Phoenix Security Kill Chain

Sources

src-20260409-f5e09e325670