Platform
nodejs
Component
@siteboon/claude-code-ui
Fixed in
1.24.1
1.24.0
CVE-2026-31861 describes a Command Injection vulnerability discovered in the @siteboon/claude-code-ui Node.js package. This flaw allows attackers to execute arbitrary operating system commands through the /api/user/git-config endpoint, potentially leading to severe consequences such as data exfiltration and complete system compromise. The vulnerability impacts versions before 1.24.0 and requires JWT authentication, which may be bypassable. A fix is available in version 1.24.0.
The vulnerability lies within the /api/user/git-config endpoint, which constructs shell commands using user-supplied gitName and gitEmail values. Insufficient sanitization of these inputs allows an attacker to inject arbitrary commands into the shell execution. Successful exploitation could grant an attacker full control over the underlying server, enabling them to read sensitive files, modify system configurations, install malware, or pivot to other systems on the network. The CVSS score of 8.8 (High) highlights the significant risk, especially considering the potential for authentication bypass. This vulnerability shares similarities with other OS command injection flaws where improper input validation leads to arbitrary code execution.
CVE-2026-31861 was publicly disclosed on 2026-03-10. The vulnerability requires JWT authentication, but the description mentions a potential bypass (VULN-01), which could significantly lower the barrier to exploitation. Currently, there are no publicly available exploits, but the high CVSS score and relatively straightforward nature of command injection suggest a high probability of exploitation if a bypass is found. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
The primary mitigation is to immediately upgrade to @siteboon/claude-code-ui version 1.24.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. First, strictly validate and sanitize all user-supplied input to the /api/user/git-config endpoint, ensuring that gitName and gitEmail contain only expected characters. Implement a Web Application Firewall (WAF) rule to block requests containing suspicious shell command characters. Review and restrict the permissions of the user account running the Node.js application to minimize the impact of a successful exploit. Monitor system logs for unusual command executions or suspicious activity related to the /api/user/git-config endpoint.
Update Cloud CLI to version 1.24.0 or higher. This version fixes the shell command injection vulnerability. The update can be performed by downloading the latest version from the official website or using the corresponding package manager.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31861 is a Command Injection vulnerability in the @siteboon/claude-code-ui Node.js package, allowing attackers to execute arbitrary OS commands through the /api/user/git-config endpoint.
You are affected if you are using @siteboon/claude-code-ui versions prior to 1.24.0 and the /api/user/git-config endpoint is accessible.
Upgrade to @siteboon/claude-code-ui version 1.24.0 or later. Implement input validation and WAF rules as temporary mitigations.
While no public exploits are currently known, the high CVSS score and potential for authentication bypass suggest a high probability of exploitation.
Refer to the @siteboon/claude-code-ui project's repository or website for the official advisory and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.