How is CVE-2026-45136 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target is required to deliver the malicious payload. Authentication (not-required): No account credentials or privileges are required; any process capable of influencing the Claude Code hook stdin payload can trigger the injection. Victim interaction (not-required): No victim action is needed beyond the target system processing a hook payload that contains the injected triple-quote sequence during normal operation. Attack complexity (info): The exploit is reliable and condition-free; injecting ''' into a user-controlled payload field is a deterministic technique with no race conditions or environmental dependencies.

What is the impact of CVE-2026-45136?

Executes arbitrary Python code in the victim's Claude Code process, giving the attacker full control over that process's runtime behavior. Reads files, environment variables, and secrets accessible to the Claude Code process, including API keys and cached authentication material. Modifies or deletes files writable by the Claude Code process, including cached data and any project files in scope. Degrades availability of the Claude Code session, though broader system availability impact is rated low by the CVSS score.

Back to search

HIGHCVE-2026-45136Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-45136: claude-code-cache-fix: Local code execution via Python triple-quote injection in tools/quota-statusline.sh

claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process. This vulnerability is fixed in 3.5.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Triple-quote injection in claude-code-cache-fix (versions 3.5.0 through 3.5.1) lets an attacker break out of a Python string literal inside tools/quota-statusline.sh by injecting a ''' sequence into any user-controlled field of the Claude Code hook stdin payload. The vulnerability is reached locally, with no authentication required, because the shell script runs in the context of the user's own Claude Code process. Successful exploitation allows arbitrary Python code to execute in that process. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as the upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-45136 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream feeds, covering both third-party and custom-built images that include the affected claude-code-cache-fix package. Any image in a customer registry or CI pipeline carrying versions 3.5.0 or 3.5.1 of the package will be flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.6 HIGH (v4.0) and weighting it against each environment's compliance policy to determine urgency. Routed alerts are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No fix version has been published upstream for this CVE; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fixed release appears. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be initiated automatically once an upstream fix is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required to deliver the malicious payload.
AuthenticationNot required
No account credentials or privileges are required; any process capable of influencing the Claude Code hook stdin payload can trigger the injection.
Victim interactionNot required
No victim action is needed beyond the target system processing a hook payload that contains the injected triple-quote sequence during normal operation.
Attack complexityDetail
The exploit is reliable and condition-free; injecting ''' into a user-controlled payload field is a deterministic technique with no race conditions or environmental dependencies.

Blast Radius

Executes arbitrary Python code in the victim's Claude Code process, giving the attacker full control over that process's runtime behavior.
Reads files, environment variables, and secrets accessible to the Claude Code process, including API keys and cached authentication material.
Modifies or deletes files writable by the Claude Code process, including cached data and any project files in scope.
Degrades availability of the Claude Code session, though broader system availability impact is rated low by the CVSS score.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45136 is active against all scanned images carrying claude-code-cache-fix 3.5.0 or 3.5.1. Because no upstream fix version has been published, HarborGuard monitors the advisory on every ingest cycle and will surface the patched rebuild automatically once the upstream release lands. In the interim, compensating controls available to customers include network-policy isolation to restrict the Claude Code process's outbound reach, egress filtering to limit exfiltration paths, and disabling or sandboxing tools/quota-statusline.sh through feature-flag or entrypoint configuration in affected images. For customers who opt into auto-remediation, the full rebuild, regression-test run, and PR workflow will be triggered without manual intervention as soon as a fix version is confirmed upstream.

See how HarborGuard automates this

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

cnighswonger / claude-code-cache-fix
>= 3.5.0, < 3.5.2

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References