SB2026043043 - OS Command Injection in Claude Code
Published: April 30, 2026
Security Bulletin ID
SB2026043043
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) OS Command Injection (CVE-ID: CVE-2025-55284)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper neutralization of special elements used in an os command in the safe command allowlist and confirmation prompt handling when processing untrusted content in a Claude Code context window. A remote attacker can add untrusted content to the context window to disclose sensitive information.
Exploitation can bypass confirmation prompts to read a file and send its contents over the network without user confirmation.
Remediation
Install update from vendor's website.