Plattform
nodejs
Komponente
@siteboon/claude-code-ui
Behoben in
1.24.1
1.24.0
CVE-2026-31861 describes a Command Injection vulnerability discovered in the @siteboon/claude-code-ui Node.js package. This flaw allows an attacker to execute arbitrary shell commands by manipulating user-supplied gitName and gitEmail values within the /api/user/git-config endpoint, potentially leading to complete system compromise. The vulnerability impacts versions before 1.24.0, and a patch has been released to address the issue.
The primary impact of CVE-2026-31861 is the ability for an attacker to execute arbitrary commands on the server hosting the @siteboon/claude-code-ui application. The vulnerability is particularly concerning because JWT authentication can be bypassed, meaning an attacker doesn't necessarily need valid credentials to exploit it. Successful exploitation could lead to data exfiltration, modification of system files, installation of malware, and ultimately, full control of the affected server. The vulnerability’s location within a user configuration endpoint suggests that it could be exploited to gain access to sensitive user data or to modify application behavior.
CVE-2026-31861 was publicly disclosed on 2026-03-10. While no active exploitation campaigns are currently known, the bypassable JWT authentication makes this a high-risk vulnerability. The vulnerability's description references a related vulnerability (VULN-01) which suggests a potential chaining of exploits. The CVSS score of 8.8 (High) reflects the severity of the vulnerability and the ease of exploitation.
Organizations using @siteboon/claude-code-ui in their Node.js applications, particularly those relying on JWT authentication for access control, are at risk. Development teams using this package in CI/CD pipelines or automated deployment systems are also vulnerable if they haven't implemented robust input validation. Shared hosting environments where multiple applications share the same server are especially susceptible, as a compromise of one application could lead to the compromise of others.
• nodejs / server:
ps aux | grep '/api/user/git-config' | grep -i 'gitName'| grep -i 'gitEmail'• nodejs / server:
journalctl -u your-node-app -g 'api/user/git-config' --since "1 hour ago"• generic web:
curl -I 'your-server.com/api/user/git-config?gitName=;ls' # Check for command execution in response headersdisclosure
patch
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
The recommended mitigation for CVE-2026-31861 is to immediately upgrade to version 1.24.0 or later of the @siteboon/claude-code-ui package. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the gitName and gitEmail parameters within the /api/user/git-config endpoint to prevent command injection. A Web Application Firewall (WAF) configured to block suspicious shell command patterns could also provide a temporary layer of protection. After upgrading, confirm the fix by attempting to submit a crafted request to the /api/user/git-config endpoint with malicious input and verifying that the command is not executed.
Aktualisieren Sie Cloud CLI auf Version 1.24.0 oder höher. Diese Version behebt die Shell Command Injection Schwachstelle. Das Update kann durchgeführt werden, indem die neueste Version von der offiziellen Website heruntergeladen oder der entsprechende Paketmanager verwendet wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-31861 is a Command Injection vulnerability in the @siteboon/claude-code-ui Node.js package, allowing attackers to execute arbitrary OS commands through the /api/user/git-config endpoint.
You are affected if you are using @siteboon/claude-code-ui versions prior to 1.24.0 and the /api/user/git-config endpoint is accessible.
Upgrade to @siteboon/claude-code-ui version 1.24.0 or later. Implement input validation and WAF rules as temporary mitigations.
While no public exploits are currently known, the high CVSS score and potential for authentication bypass suggest a high probability of exploitation.
Refer to the @siteboon/claude-code-ui project's repository or website for the official advisory and release notes.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.