Summary
tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process.
Affected versions
- v3.5.0
- v3.5.1
Patched versions
- v3.5.2
Affected configurations
Users who wired tools/quota-statusline.sh into Claude Code's statusLine configuration. The v3.5.0 README explicitly recommends this setup, so most users on v3.5.0/v3.5.1 with the recommended setup are affected.
Attack chain
Claude Code's statusline hook payload reflects user-controlled paths (cwd, workspace.current_dir, workspace.project_dir, transcript_path). Apostrophes are legal in POSIX filesystem paths.
- A hostile directory name containing
'''+payload+'''lands on disk via any normal vector,git clone, archive extraction, npm package, downloaded zip, etc. - The victim has the recommended
tools/quota-statusline.shwired into their CCstatusLineconfig. - The victim
cds anywhere a hostile path is reachable. - CC fires the statusline hook on every redraw. The Python literal closes early. The injected bytes execute as Python in the user's process.
Severity
Local code execution at user privilege. Persistent re-fire on every statusline redraw. No user interaction beyond cd-ing into the hostile path. The user's shell, CC session, files, SSH keys, and any locally-accessible credentials are reachable from the executed code.
Vulnerable pattern
input=$(cat)
result=$(python3 -c "
stdin_data = json.loads('''$input''') if '''$input''' else {}
")
Workarounds
Until upgrading to v3.5.2:
- Disable the statusline by removing the
statusLineentry from~/.claude/settings.json, or - Replace
tools/quota-statusline.shwith a script that does NOT pass stdin throughpython3 -c "..."(a heredoc + env var rewrite is safe)
Credit
Reported by Jakob Linke (@schuay) via GitHub issue #108.
Timeline
- 2026-05-07, reported (#108)
- 2026-05-07, confirmed, fix implemented (#110)
- 2026-05-07, v3.5.2 published
Impact
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
CVE-2026-45136 has a CVSS score of 7.8 (High). The vector is requires local access, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.5.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Capture stdin in bash, export to env, and pipe the Python source through a single-quoted heredoc (<<'PYEOF'). Single-quoting disables ALL bash interpolation inside the body. Python reads the JSON via os.environ.get('CC_INPUT'), where the bytes are inert at every layer.
CC_INPUT=$(cat)
export CC_INPUT
python3 <<'PYEOF' 2>/dev/null
import os, json
try:
cc_input = json.loads(os.environ.get('CC_INPUT') or '{}')
except Exception:
cc_input = {}
# ...
PYEOF
Frequently Asked Questions
- What is CVE-2026-45136? CVE-2026-45136 is a high-severity OS command injection vulnerability in claude-code-cache-fix (npm), affecting versions >= 3.5.0, < 3.5.2. It is fixed in 3.5.2. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
- How severe is CVE-2026-45136? CVE-2026-45136 has a CVSS score of 7.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of claude-code-cache-fix are affected by CVE-2026-45136? claude-code-cache-fix (npm) versions >= 3.5.0, < 3.5.2 is affected.
- Is there a fix for CVE-2026-45136? Yes. CVE-2026-45136 is fixed in 3.5.2. Upgrade to this version or later.
- Is CVE-2026-45136 exploitable, and should I be worried? Whether CVE-2026-45136 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-45136 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-45136? Upgrade
claude-code-cache-fixto 3.5.2 or later.