Critical OS Command Injection CVE-2026-35022 Found in Anthropic Claude Code CLI

CVE-2026-35022 is a critical OS command injection vulnerability (CVSS 9.8) affecting Anthropic Claude Code CLI and Claude Agent SDK. The vulnerability allows attackers to inject and execute arbitrary operating system commands through the affected tools, potentially leading to full system compromise. Given the widespread adoption of Claude AI tools in software development workflows, this vulnerability poses significant risk to developer environments, CI/CD pipelines, and production systems where these tools are deployed. The flaw was published in the NVD on April 6-7, 2026. This vulnerability is particularly concerning in the context of AI-assisted development environments where these tools often have elevated privileges and access to sensitive credentials and source code. Recommended mitigations: Apply available patches from Anthropic immediately, restrict Claude Code CLI usage to isolated environments, audit CI/CD pipelines for Claude tool integrations, implement least-privilege principles for AI development tools, and monitor for anomalous command execution.