EXECUTIVE SUMMARY:
CVE-2026-45136 is a vulnerability in claude-code-cache-fix, specifically affecting versions 3.5.0 and 3.5.1, due to local code execution via Python triple-quote injection in tools/quota-statusline.sh. This vulnerability arises from the fact that tools/quota-statusline.sh interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal, allowing a ''' byte sequence in any user-controlled field of the payload to close the literal early and execute as Python in the user's Claude Code process. Users who have wired tools/quota-statusline.sh into Claude Code's statusLine configuration, as recommended in the v3.5.0 README, are affected. An attacker can exploit this vulnerability by creating a hostile directory name containing malicious payload, which lands on disk via any normal vector, such as git clone or archive extraction, and then executing the injected bytes as Python in the user's process, resulting in local code execution at user privilege with persistent re-fire on every statusline redraw, requiring no user interaction beyond cd-ing into the hostile path. The user's shell, CC session, files, SSH keys, and any locally-accessible credentials are reachable from the executed code.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45136 is a vulnerability in claude-code-cache-fix, specifically affecting versions 3.5.0 and 3.5.1, due to local code execution via Python triple-quote injection in tools/quota-statusline.sh. This vulnerability arises from the fact that tools/quota-statusline.sh interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal, allowing a ''' byte sequence in any user-controlled field of the payload to close the literal early and execute as Python in the user's Claude Code process. Users who have wired tools/quota-statusline.sh into Claude Code's statusLine configuration, as recommended in the v3.5.0 README, are affected. An attacker can exploit this vulnerability by creating a hostile directory name containing malicious payload, which lands on disk via any normal vector, such as git clone or archive extraction, and then executing the injected bytes as Python in the user's process, resulting in local code execution at user privilege with persistent re-fire on every statusline redraw, requiring no user interaction beyond cd-ing into the hostile path. The user's shell, CC session, files, SSH keys, and any locally-accessible credentials are reachable from the executed code.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-g3xq-3gmv-qq8g