Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Cloud CLI: Unauthenticated Git Configuration Command Injection
GHSA-7fv4-fmmc-86g2
CVE-2026-31861
Summary
Cloud CLI's Git configuration endpoint doesn't properly escape user input, allowing attackers to execute arbitrary OS commands. This issue affects versions prior to 1.24.0. Update to version 1.24.0 or later to fix the issue.
What to do
- Update siteboon claude-code-ui to version 1.24.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| siteboon | claude-code-ui | <= 1.23.0 | 1.24.0 |
Original title
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, The /api/user/git-config endpoint constructs shell commands by interpo...
Original description
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, The /api/user/git-config endpoint constructs shell commands by interpolating user-supplied gitName and gitEmail values into command strings passed to child_process.exec(). The input is placed within double quotes and only " is escaped, but backticks (`), $() command substitution, and \ sequences are all interpreted within double-quoted strings in bash. This allows authenticated attackers to execute arbitrary OS commands via the git configuration endpoint. This vulnerability is fixed in 1.24.0.
Vulnerability type
CWE-94
Code Injection
- https://github.com/siteboon/claudecodeui/security/advisories/GHSA-7fv4-fmmc-86g2
- https://github.com/siteboon/claudecodeui/commit/86c33c1c0cb34176725a38f469602137...
- https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0
- https://github.com/advisories/GHSA-7fv4-fmmc-86g2
- https://nvd.nist.gov/vuln/detail/CVE-2026-31861
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026