CVE-2026-45136 | THREATINT

Description

claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process. This vulnerability is fixed in 3.5.2.

PUBLISHED Reserved 2026-05-08 | Published 2026-05-27 | Updated 2026-06-02 | Assigner GitHub_M

HIGH: 8.6CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

>= 3.5.0, < 3.5.2

affected

References

github.com/...he-fix/security/advisories/GHSA-g3xq-3gmv-qq8g exploit

github.com/cnighswonger/claude-code-cache-fix/issues/108 exploit

github.com/...he-fix/security/advisories/GHSA-g3xq-3gmv-qq8g

github.com/cnighswonger/claude-code-cache-fix/issues/108

github.com/cnighswonger/claude-code-cache-fix/pull/110

cve.org (CVE-2026-45136)

nvd.nist.gov (CVE-2026-45136)

Download JSON