← Back to CVEs

CVE-2026-31861

HIGH

8.8

Description

Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, The /api/user/git-config endpoint constructs shell commands by interpolating user-supplied gitName and gitEmail values into command strings passed to child_process.exec(). The input is placed within double quotes and only " is escaped, but backticks (`), $() command substitution, and \ sequences are all interpreted within double-quoted strings in bash. This allows authenticated attackers to execute arbitrary OS commands via the git configuration endpoint. This vulnerability is fixed in 1.24.0.

CVE Details

CVSS v3.1 Score8.8

SeverityHIGH

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredLOW

User InteractionNONE

Published3/11/2026

Last Modified3/17/2026

Sourcenvd

Honeypot Sightings0

Affected Products

cloudcli:cloud_cli

Weaknesses (CWE)

CWE-94

References

https://github.com/siteboon/claudecodeui/commit/86c33c1c0cb34176725a38f46960213714fc3e04(security-advisories@github.com)

https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0(security-advisories@github.com)

https://github.com/siteboon/claudecodeui/security/advisories/GHSA-7fv4-fmmc-86g2(security-advisories@github.com)

https://github.com/siteboon/claudecodeui/security/advisories/GHSA-7fv4-fmmc-86g2(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.