claude-code-ui Triple Command Injection (CVE-2026-31975, CVE-2026-31862, CVE-2026-31861)

1. Executive Summary

What: Three command injection vulnerabilities exist in @siteboon/claude-code-ui, an npm package providing a web-based user interface for Anthropic's Claude Code CLI (npm registry). The vulnerabilities span three distinct attack surfaces: unauthenticated remote code execution via WebSocket shell injection (CVE-2026-31975, CVSS 9.8 Critical, CNA-submitted via GHSA-gv8f-wpm2-m5wr), multi-parameter command injection across seven git-related API endpoints (CVE-2026-31862, CVSS 9.1 Critical, CNA-submitted via GHSA-f2fc-vc88-6w7q), and shell command injection in a git configuration route (CVE-2026-31861, CVSS 8.8 High, CNA-submitted via GHSA-7fv4-fmmc-86g2). All three share a common root cause: user-controlled input is interpolated directly into shell command strings without adequate sanitisation (GHSA-gv8f-wpm2-m5wr, GHSA-f2fc-vc88-6w7q, GHSA-7fv4-fmmc-86g2).

So What: The most severe vulnerability (CVE-2026-31975) requires no authentication -- the package ships with a hardcoded JWT secret ('claude-ui-dev-secret-change-in-production') that allows an attacker to forge authentication tokens and connect to the WebSocket /shell endpoint to run arbitrary OS commands on the server (GHSA-gv8f-wpm2-m5wr). A complete working proof-of-concept demonstrating the full attack chain from token forgery to command execution was published by the original reporters and is included in the advisory (GHSA-gv8f-wpm2-m5wr). When all three vulnerabilities co-exist on a default-configuration deployment, the authentication bypass from CVE-2026-31975 renders CVE-2026-31862 and CVE-2026-31861 -- nominally requiring authentication -- effectively unauthenticated, giving an attacker three independent remote code execution paths (RAXE assessment).

Now What: Organisations running @siteboon/claude-code-ui should immediately upgrade to version 1.25.0, which addresses all three CVEs, or remove the package entirely (GHSA-gv8f-wpm2-m5wr, GHSA-f2fc-vc88-6w7q, GHSA-7fv4-fmmc-86g2, npm registry). Instances exposed to untrusted networks should be taken offline until patched (RAXE assessment). Security teams should audit npm dependency trees for third-party AI coding tool UIs and verify that none are deployed with default credentials (RAXE assessment).

2. Risk Rating

CVSS Scores -- All CNA-Submitted

All three CVEs are not yet published to the National Vulnerability Database as of 2026-03-11 (verified via NVD REST API queries returning zero results; GHSA advisories are the sole authoritative source). All CVSS scores below are CNA-submitted scores from the GitHub Security Advisory database, not NVD primary scores.

No EPSS (Exploit Prediction Scoring System) scores are available for any of the three CVEs (FIRST.org EPSS API returns empty results for all three as of 2026-03-11).

Authentication language: CVE-2026-31975 specifies PR:N (unauthenticated). CVE-2026-31862 specifies PR:H (privileged access). CVE-2026-31861 requires a valid JWT token. On default-configuration deployments, chaining with CVE-2026-31975 renders all three effectively unauthenticated (RAXE assessment).

3. Affected Products

Remediation path: Upgrading to version 1.25.0 addresses all three CVEs. Version 1.24.0 addresses CVE-2026-31862 and CVE-2026-31861 but remains vulnerable to CVE-2026-31975. The npm registry confirms 1.25.0 as the latest published version (npm registry).

Package details: @siteboon/claude-code-ui is described as "A web-based UI for Claude Code CLI" (npm registry). The package is maintained by a single maintainer (simossiteboon) and provides both cloudcli and claude-code-ui CLI entry points (npm registry). The source repository is siteboon/claudecodeui on GitHub (npm registry).

Package name discrepancy: GHSA-f2fc-vc88-6w7q lists the vulnerable package as @siteboon/claudecodeui (without hyphen), while the other two advisories and the npm registry use @siteboon/claude-code-ui (with hyphen). The unhyphenated name @siteboon/claudecodeui does not resolve as a separate npm package (npm registry returns 404). The source repository name is siteboon/claudecodeui (unhyphenated) in all three advisories. The discrepancy is consistent with an advisory naming error in GHSA-f2fc-vc88-6w7q rather than a distinct package (RAXE assessment based on GHSA advisories, npm registry).

Am I Affected?

1. Check if the package is installed: npm ls @siteboon/claude-code-ui, or search node_modules/ for claude-code-ui and claudecodeui (GHSA-f2fc-vc88-6w7q uses the unhyphenated repository name; the unhyphenated scoped package does not exist on npm, but the directory name in node_modules may match the repository name)
2. Check installed version: npm info @siteboon/claude-code-ui version
3. Any version at or below 1.24.0 is vulnerable to CVE-2026-31975; any version at or below 1.23.0 is additionally vulnerable to CVE-2026-31862 and CVE-2026-31861 (GHSA advisories)
4. Check if the JWT_SECRET environment variable is set to a unique value -- deployments using the default (unset) value are vulnerable to unauthenticated exploitation via CVE-2026-31975 (GHSA-gv8f-wpm2-m5wr)
5. Check if the instance is accessible from untrusted networks -- any network-accessible deployment with the default JWT secret is immediately exploitable (RAXE assessment)

4. Abstract

RAXE-2026-032 is a cluster finding covering three command injection vulnerabilities in @siteboon/claude-code-ui, a community-maintained npm package that provides a web-based user interface for Anthropic's Claude Code CLI (npm registry). The three CVEs represent distinct injection vectors that share a common root cause: the application constructs shell command strings via interpolation of user-controlled input rather than using process spawning with argument arrays and shell: false (GHSA-gv8f-wpm2-m5wr, GHSA-f2fc-vc88-6w7q, GHSA-7fv4-fmmc-86g2).

CVE-2026-31975 is the most severe: a three-link vulnerability chain combining a hardcoded JWT fallback secret (CWE-1188), a WebSocket authentication function that skips database validation of user identity (CWE-287), and shell command injection in the WebSocket /shell endpoint (CWE-78), resulting in unauthenticated remote code execution (GHSA-gv8f-wpm2-m5wr). CVE-2026-31862 affects seven git-related REST API endpoints where parameters are injected into shell commands despite inadequate quote-escaping that fails to neutralise $(), backtick, and command-chaining metacharacters (GHSA-f2fc-vc88-6w7q). CVE-2026-31861 affects the git configuration endpoint where gitName and gitEmail parameters are interpolated into git config --global shell commands, with only double-quote escaping applied -- leaving subshell expressions intact (GHSA-7fv4-fmmc-86g2).

The cluster is analysed together because CVE-2026-31975's authentication bypass elevates the effective severity of CVE-2026-31862 and CVE-2026-31861 from authenticated to unauthenticated on default-configuration deployments, providing an attacker with three independent remote code execution paths from a single network position (RAXE assessment). All CVSS scores are CNA-submitted via the GitHub Security Advisory database; none of the three CVEs have been published to the National Vulnerability Database as of 2026-03-11.

5. Key Findings

1. Unauthenticated RCE via hardcoded JWT secret and WebSocket shell endpoint. CVE-2026-31975 chains an insecure default JWT secret, a WebSocket authentication bypass (no database lookup for userId), and shell command injection in the /shell endpoint to achieve unauthenticated remote code execution. A working proof-of-concept was published by the original reporters (GHSA-gv8f-wpm2-m5wr).

2. At least seven git API endpoints injectable via shell metacharacters (with five further endpoints patched in the fix commit). CVE-2026-31862 documents seven endpoints in server/routes/git.js where user-supplied parameters are interpolated into shell commands. The fix commit additionally patches five further endpoints not listed in the advisory's primary enumeration (GHSA-f2fc-vc88-6w7q, fix section). The application's double-quote escaping is insufficient -- $(), backtick, ;, &&, ||, and newline characters bypass the sanitisation (GHSA-f2fc-vc88-6w7q).

3. Git configuration route allows persistent server-side modification. CVE-2026-31861 exploits the /api/user/git-config endpoint to inject commands via gitName and gitEmail fields into git config --global invocations, modifying the server-wide git identity as a persistent side-effect (GHSA-7fv4-fmmc-86g2).

4. Chaining amplifies aggregate severity. On default-configuration deployments, CVE-2026-31975 provides unauthenticated access that renders CVE-2026-31862 (PR:H) and CVE-2026-31861 effectively unauthenticated, giving an attacker three independent RCE paths from a single network position. The individual CVSS vectors understate the aggregate attack surface (RAXE assessment).

5. Common root cause across all three CVEs. All three vulnerabilities result from the same coding pattern: shell command construction via string interpolation using Node.js child_process in shell mode. The remediation in all three fix commits replaces shell-mode execution with spawn() using argument arrays and shell: false (GHSA-gv8f-wpm2-m5wr, GHSA-f2fc-vc88-6w7q, GHSA-7fv4-fmmc-86g2).

6. Additional defence-in-depth failures documented. The CVE-2026-31975 advisory additionally documents: unauthenticated user registration (CWE-306 at server/routes/auth.js:22), overly permissive CORS (Access-Control-Allow-Origin: * at server/index.js:325), and non-expiring JWT tokens (CWE-613 at server/middleware/auth.js:70) (GHSA-gv8f-wpm2-m5wr).

6. Attack Flow

The following diagram illustrates the three independent attack paths and the chaining relationship between CVE-2026-31975 and the other two CVEs on a default-configuration deployment.

                              ATTACKER
                         (network access only)
                                |
                +---------------+----------------+
                |                                |
                v                                v
    +-----------------------+      +--------------------------+
    | PATH A: WebSocket RCE |      | PATH B & C: REST API     |
    | CVE-2026-31975        |      | CVE-2026-31862 / 31861   |
    +-----------------------+      +--------------------------+
                |                                |
                v                                |
    +-----------------------+                    |
    | 1. FORGE JWT          |                    |
    | Sign token with known |                    |
    | default secret:       |                    |
    | 'claude-ui-dev-       |                    |
    |  secret-change-in-    |                    |
    |  production'          |                    |
    | (GHSA-gv8f-wpm2-m5wr)|                    |
    +-----------+-----------+                    |
                |                                |
                +----------- forged JWT --------+|
                |              provides auth     ||
                v                                vv
    +-----------------------+      +--------------------------+
    | 2. CONNECT /shell WS  |      | 2. CALL GIT API ENDPOINT |
    | authenticateWebSocket |      | /api/git/commit-diff     |
    | validates signature   |      | /api/git/diff ...        |
    | but skips DB lookup   |      | /api/user/git-config     |
    | for userId            |      | (7 endpoints + 1 route)  |
    | (GHSA-gv8f-wpm2-m5wr)|      | (GHSA-f2fc-vc88-6w7q,   |
    +-----------+-----------+      |  GHSA-7fv4-fmmc-86g2)    |
                |                  +------------+-------------+
                v                               |
    +-----------------------+                   v
    | 3. INJECT via init    |      +--------------------------+
    | initialCommand:       |      | 3. INJECT via params     |
    |  "id; cat /etc/passwd"|      | commit: "abc;id"         |
    | projectPath:          |      | gitName: "$(whoami)"     |
    |  shell injection      |      | file: "$(cat /etc/pw*)"  |
    | sessionId:            |      | Bypass: $(), backtick,   |
    |  shell injection      |      |  ; && || newline         |
    | (GHSA-gv8f-wpm2-m5wr)|      | (GHSA-f2fc-vc88-6w7q,   |
    +-----------+-----------+      |  GHSA-7fv4-fmmc-86g2)    |
                |                  +------------+-------------+
                |                               |
                +---------------+---------------+
                                |
                                v
                   +------------------------+
                   | ARBITRARY OS COMMAND    |
                   | EXECUTION              |
                   | As Node.js process user|
                   | - File system access   |
                   | - Credential theft     |
                   | - Lateral movement     |
                   | - Code modification    |
                   | (GHSA advisories)      |
                   +------------------------+

7. Technical Details

7.1 CVE-2026-31975 -- WebSocket Shell Injection (Unauthenticated RCE)

CWE IDs: CWE-1188 ("Initialization with Insecure Default"), CWE-287 ("Improper Authentication"), CWE-78 ("Improper Neutralization of Special Elements used in an OS Command"), CWE-306 ("Missing Authentication for Critical Function"), CWE-942 ("Permissive Cross-domain Policy with Untrusted Domains"), CWE-613 ("Insufficient Session Expiration") (GHSA-gv8f-wpm2-m5wr)

This vulnerability is a three-link chain that escalates from insecure defaults to unauthenticated remote code execution (GHSA-gv8f-wpm2-m5wr):

Link 1 -- Insecure Default JWT Secret (CWE-1188). The server at server/middleware/auth.js line 6 defaults to the hardcoded value 'claude-ui-dev-secret-change-in-production' when the JWT_SECRET environment variable is absent. This variable is not documented in .env.example, meaning deployments where JWT_SECRET is not explicitly set operate with the publicly known fallback secret (GHSA-gv8f-wpm2-m5wr).

Link 2 -- WebSocket Authentication Bypass (CWE-287). The authenticateWebSocket() function at server/middleware/auth.js lines 82--108 verifies the JWT signature but does not check whether the userId in the token payload corresponds to an actual database record. The corresponding REST authentication function (authenticateToken()) correctly performs this database lookup. The asymmetry means a forged token containing a fabricated userId passes WebSocket authentication (GHSA-gv8f-wpm2-m5wr).

Link 3 -- OS Command Injection (CWE-78). At server/index.js line 1179, the projectPath and initialCommand parameters from the WebSocket init message are interpolated directly into a bash command string without sanitisation. At line 1257, the sessionId parameter in the session-resumption code path provides a secondary injection vector. The projectPath parameter is also injectable via double-quote escape sequences: a crafted value such as " && COMMAND && echo " causes the embedded command to run (GHSA-gv8f-wpm2-m5wr).

Confirmed outcomes documented in the advisory: arbitrary OS command execution, file system read and write access, credential theft (SSH keys, .env files, API keys), and lateral movement within the host network (GHSA-gv8f-wpm2-m5wr).

Remediation applied in fix commit 12e7f07: The fix mandates explicit JWT_SECRET configuration (removing the fallback), adds database user validation to authenticateWebSocket(), and replaces string interpolation with spawned process arguments using the cwd parameter (GHSA-gv8f-wpm2-m5wr).

7.2 CVE-2026-31862 -- Multi-Parameter Command Injection

CWE ID: CWE-77 ("Improper Neutralization of Special Elements used in a Command") (GHSA-f2fc-vc88-6w7q)

Seven git-related API endpoints in server/routes/git.js use string interpolation of user-supplied parameters into shell commands passed to async wrappers around Node.js child_process in shell mode (GHSA-f2fc-vc88-6w7q). The application applies double-quote escaping to some parameters, but this protection is bypassed by shell metacharacters including command substitution ($(command) and backtick variants), command-chaining operators (;, &&, ||), and newline characters (GHSA-f2fc-vc88-6w7q).

Affected endpoints and injectable parameters (GHSA-f2fc-vc88-6w7q):

The advisory's fix section (commit 55567f4) additionally patches five endpoints not listed in the primary "Affected Endpoints" enumeration: /api/git/file-with-diff, /api/git/generate-commit-message, /api/git/discard, /api/git/delete-untracked, and /api/git/publish (GHSA-f2fc-vc88-6w7q, fix section). Whether these five endpoints were independently exploitable or defensively hardened has not been confirmed.

The commit-diff endpoint is the most directly injectable path. The vulnerable code pattern is (GHSA-f2fc-vc88-6w7q):

// Vulnerable pattern (pre-fix) -- shell-mode execution with unsanitised input
const { stdout } = await execAsync(
  `git show ${commit}`,    // commit value reaches shell unescaped
  { cwd: projectPath }
);

No escaping or quoting is applied to commit before it reaches the shell (GHSA-f2fc-vc88-6w7q).

The advisory confirms that full OS command execution, file system access, and supply-chain impact through direct modification of committed code are all achievable outcomes (GHSA-f2fc-vc88-6w7q).

Remediation applied in fix commit 55567f4: All shell-mode calls replaced with spawn() using child_process.spawn with shell: false, passing arguments as arrays. A strict allowlist regex (/^[0-9a-f]{4,64}$/i) now validates commit hash parameters (GHSA-f2fc-vc88-6w7q).

7.3 CVE-2026-31861 -- Git Route Shell Injection

CWE IDs: CWE-78 ("Improper Neutralization of Special Elements used in an OS Command"), CWE-94 ("Improper Control of Generation of Code") (GHSA-7fv4-fmmc-86g2)

The /api/user/git-config endpoint in server/routes/user.js at lines 58--59 interpolates the gitName and gitEmail request body parameters into shell commands (GHSA-7fv4-fmmc-86g2). The only sanitisation applied is escaping the double-quote character. Within bash double-quoted strings, backtick and $() subshell expressions are still evaluated by the shell interpreter before the surrounding command runs (GHSA-7fv4-fmmc-86g2).

The vulnerable code pattern constructs (GHSA-7fv4-fmmc-86g2):

git config --global user.name "VALUE_WITH_EMBEDDED_SUBSHELL"

An attacker providing gitName as $(id) causes the id command to run as the Node.js process user before the git config operation completes (GHSA-7fv4-fmmc-86g2).

Because the invocation uses --global, injected commands modify the server-wide git identity, affecting all subsequent git operations performed by the server process -- creating a persistent side-effect beyond the initial command execution (GHSA-7fv4-fmmc-86g2).

Remediation applied in fix commit 86c33c1: Shell-mode invocation replaced with spawn() using argument arrays, preventing shell metacharacter interpretation (GHSA-7fv4-fmmc-86g2).

7.4 Additional Attack Surface

The CVE-2026-31975 advisory documents three further weaknesses that reduce defence-in-depth without themselves being primary RCE vectors (GHSA-gv8f-wpm2-m5wr):

8. Confidence & Validation

Assessment Confidence: High

Key assumptions (KAC):

Independent verification status: RAXE has not independently run any PoC in an isolated environment. All claims about exploit behaviour derive from published advisory content (GHSA-gv8f-wpm2-m5wr, GHSA-f2fc-vc88-6w7q, GHSA-7fv4-fmmc-86g2).

9. Detection Signatures

Five detection rules are provided: four Sigma rules covering delivery telemetry and post-exploitation hunting, and one YARA rule for IOC detection. All rules are classified below critical severity -- delivery telemetry rules are medium and hunting rules are high (RAXE assessment).

Rule Coverage Map

DETECT-001 -- WebSocket Upgrade to /shell Endpoint

title: WebSocket Upgrade to claude-code-ui /shell Endpoint
id: a1f3c2d4-7e8b-4a9c-b0d1-e2f3a4b5c6d7
status: experimental
description: >
  Detects an HTTP WebSocket upgrade request directed at the /shell endpoint of
  @siteboon/claude-code-ui. CVE-2026-31975 exploits this endpoint to achieve
  unauthenticated remote code execution via a forged JWT signed with the
  publicly known default secret. Any WebSocket upgrade to /shell is notable
  because the endpoint provides direct OS shell access to the server.
  (GHSA-gv8f-wpm2-m5wr)
references:
  - https://github.com/advisories/GHSA-gv8f-wpm2-m5wr
author: RAXE Labs / M. Hirani
date: 2026-03-11
tags:
  - attack.initial_access
  - attack.t1190
  - attack.t1078.001
  - cve.2026-31975
logsource:
  category: webserver
  product: nginx
detection:
  selection_upgrade:
    cs-method: GET
    cs-uri-stem|contains: '/shell'
    cs-headers|contains:
      - 'Upgrade: websocket'
      - 'upgrade: websocket'
  condition: selection_upgrade
falsepositives:
  - Authorised developers connecting to the claude-code-ui shell from a known internal IP
  - Automated health checks targeting the /shell path
level: medium

DETECT-002 -- Shell Metacharacters in Git API Parameters

title: Shell Metacharacters in claude-code-ui Git API Parameters
id: b2e4d5f6-8a9b-4c0d-a1e2-f3a4b5c6d7e8
status: experimental
description: >
  Detects HTTP requests to the seven git-related API endpoints of
  @siteboon/claude-code-ui that contain shell metacharacters in their
  parameters. CVE-2026-31862 exploits these endpoints by injecting command
  substitution expressions ($(), backticks) or command-chaining operators
  (;, &&, ||) that bypass the application's quote-escaping sanitisation and
  run as OS commands inside a Node.js shell-mode child process.
  (GHSA-f2fc-vc88-6w7q)
references:
  - https://github.com/advisories/GHSA-f2fc-vc88-6w7q
author: RAXE Labs / M. Hirani
date: 2026-03-11
tags:
  - attack.execution
  - attack.t1190
  - attack.t1059.004
  - cve.2026-31862
logsource:
  category: webserver
  product: nginx
detection:
  selection_endpoints:
    cs-uri-stem|contains:
      - '/api/git/diff'
      - '/api/git/status'
      - '/api/git/commit'
      - '/api/git/checkout'
      - '/api/git/create-branch'
      - '/api/git/commits'
      - '/api/git/commit-diff'
      # Five additional endpoints patched in fix commit (GHSA-f2fc-vc88-6w7q, fix section)
      - '/api/git/file-with-diff'
      - '/api/git/generate-commit-message'
      - '/api/git/discard'
      - '/api/git/delete-untracked'
      - '/api/git/publish'
  selection_metacharacters:
    cs-uri-query|contains:
      - '$('
      - '`'
      - '&&'
      - '||'
      - ';'
    cs-request-body|contains:
      - '$('
      - '`'
      - '&&'
      - '||'
      - ';'
  condition: selection_endpoints and selection_metacharacters
falsepositives:
  - Commit messages legitimately containing shell operators
  - Branch names using special characters on non-standard git hosting configurations
  - Automated scripts submitting valid shell-like strings in commit messages via the API
level: medium

DETECT-003 -- Command Substitution in Git Config POST Body

title: Command Substitution in claude-code-ui Git Config Endpoint
id: c3f5e6a7-9b0c-4d1e-b2f3-a4b5c6d7e8f9
status: experimental
description: >
  Detects POST requests to the /api/user/git-config endpoint of
  @siteboon/claude-code-ui with gitName or gitEmail values containing bash
  command substitution expressions. CVE-2026-31861 exploits this endpoint by
  embedding $() or backtick subshell expressions in these fields, which are
  evaluated by bash during git config execution despite double-quote escaping
  of the surrounding value. Because $( and backticks have no legitimate use in
  git user identity fields, this rule has a low false-positive profile.
  (GHSA-7fv4-fmmc-86g2)
references:
  - https://github.com/advisories/GHSA-7fv4-fmmc-86g2
author: RAXE Labs / M. Hirani
date: 2026-03-11
tags:
  - attack.execution
  - attack.t1190
  - attack.t1059.004
  - cve.2026-31861
logsource:
  category: webserver
  product: nginx
detection:
  selection_endpoint:
    cs-method: POST
    cs-uri-stem|contains: '/api/user/git-config'
  selection_payload:
    cs-request-body|contains:
      - '$('
      - '`'
  condition: selection_endpoint and selection_payload
falsepositives:
  - None expected for git user name/email fields
level: medium

DETECT-004 -- Shell Interpreter Spawned by Node.js Process

title: Shell Interpreter Spawned by Node.js Process (claude-code-ui Host)
id: d4a6b7c8-0c1d-4e2f-c3a4-b5c6d7e8f9a0
status: experimental
description: >
  Detects a bash or sh child process spawned by a Node.js process, as observed
  on a host running @siteboon/claude-code-ui. All three command injection
  vulnerabilities in RAXE-2026-032 (CVE-2026-31975, CVE-2026-31862,
  CVE-2026-31861) result in the Node.js server spawning a shell interpreter via
  shell-mode child_process execution. On a patched deployment (v1.25.0), the
  shell: false fix replaces this execution pattern, so post-patch positives
  indicate either an unpatched instance or a separate injection path.
  (GHSA-gv8f-wpm2-m5wr, GHSA-f2fc-vc88-6w7q, GHSA-7fv4-fmmc-86g2)
references:
  - https://github.com/advisories/GHSA-gv8f-wpm2-m5wr
  - https://github.com/advisories/GHSA-f2fc-vc88-6w7q
  - https://github.com/advisories/GHSA-7fv4-fmmc-86g2
author: RAXE Labs / M. Hirani
date: 2026-03-11
tags:
  - attack.execution
  - attack.t1059.004
  - attack.t1190
  - cve.2026-31975
  - cve.2026-31862
  - cve.2026-31861
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentImage|endswith:
      - '/node'
      - '/nodejs'
    ParentCommandLine|contains:
      - 'claude-code-ui'
      - 'claudecodeui'
  selection_child_shell:
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/dash'
  condition: selection_parent and selection_child_shell
falsepositives:
  - Legitimate git wrapper scripts on unpatched versions
  - Developer tooling or health-check scripts invoking bash via Node.js on the same host
level: high

DETECT-005 -- Hardcoded JWT Default Secret (YARA)

rule RAXE_2026_032_HardcodedJWT_Default_Secret
{
    meta:
        id              = "DETECT-005"
        finding_id      = "RAXE-2026-032"
        description     = "Detects the hardcoded JWT default secret shipped in @siteboon/claude-code-ui <= 1.24.0. The presence of this string in a Node.js application indicates a deployment vulnerable to CVE-2026-31975, which allows unauthenticated remote code execution via forged JWT tokens against the WebSocket /shell endpoint."
        cve             = "CVE-2026-31975"
        ghsa            = "GHSA-gv8f-wpm2-m5wr"
        cvss            = "9.8"
        author          = "RAXE Labs / M. Hirani"
        date            = "2026-03-11"
        tlp             = "TLP:GREEN"
        mitre_attack    = "T1190, T1078.001"
        mitre_atlas     = "AML.T0010.001"
        reference       = "https://github.com/advisories/GHSA-gv8f-wpm2-m5wr"
        severity        = "high"

    strings:
        $jwt_default_secret = "claude-ui-dev-secret-change-in-production" ascii wide nocase
        $context_jwt    = "JWT_SECRET" ascii wide
        $context_node   = "require(" ascii wide
        $context_auth   = "authenticateWebSocket" ascii wide

    condition:
        $jwt_default_secret and (
            $context_jwt or
            $context_node or
            $context_auth
        )
}

Detection Coverage Gaps

The following behaviours described in the advisories are not covered by the rules above (RAXE assessment):

• Session resumption injection via sessionId at server/index.js:1257 (GHSA-gv8f-wpm2-m5wr) -- requires WebSocket frame-level inspection not available in HTTP access logs.
• CORS exploitation (Access-Control-Allow-Origin: * at server/index.js:325) -- not detectable without browser-level telemetry (GHSA-gv8f-wpm2-m5wr).
• Non-expiring token abuse (CWE-613) -- detecting abuse of long-lived tokens requires JWT issue-timestamp baselining against authentication logs (GHSA-gv8f-wpm2-m5wr).
• Unauthenticated registration (/api/auth/register at server/routes/auth.js:22) -- monitoring POST requests to this endpoint is straightforward but was not included as it is not a direct injection vector (GHSA-gv8f-wpm2-m5wr).

10. Detection & Mitigation

Immediate Actions (Priority 1)

1. Upgrade to version 1.25.0. This version addresses all three CVEs. Confirm version after upgrade: npm info @siteboon/claude-code-ui version (GHSA advisories, npm registry).

2. Take internet-exposed instances offline. Any deployment accessible from untrusted networks with the default JWT secret is immediately exploitable via the published PoC (GHSA-gv8f-wpm2-m5wr, RAXE assessment).

3. Set a unique JWT secret. If immediate upgrade is not possible, set the JWT_SECRET environment variable to a cryptographically random value of at least 32 characters. This mitigates CVE-2026-31975 but does not address CVE-2026-31862 or CVE-2026-31861 (GHSA-gv8f-wpm2-m5wr).

Short-Term Actions (Priority 2)

1. Audit npm dependency trees for AI tool UIs. Search for third-party wrappers around AI vendor CLIs in package.json and package-lock.json files across the organisation's Node.js deployments. Community-built wrappers around AI vendor APIs represent a growing and poorly audited attack surface (RAXE assessment).

2. Verify no AI development tools are deployed with default credentials. The hardcoded JWT secret pattern (CWE-1188) in this package exemplifies a class of risk where development-time defaults persist into production (GHSA-gv8f-wpm2-m5wr, RAXE assessment).

3. Review CORS configurations on developer-facing web applications. The Access-Control-Allow-Origin: * configuration documented in CVE-2026-31975 is a common misconfiguration in internal developer tools (GHSA-gv8f-wpm2-m5wr).

4. Deploy detection rules. Implement the Sigma rules (DETECT-001 through DETECT-004) on appropriate log sources and deploy the YARA rule (DETECT-005) via secret scanning or file scanning pipelines (RAXE assessment).

Ongoing Monitoring (Priority 3)

1. Monitor NVD for publication. Watch for NVD-assigned primary CVSS scores, which may differ from the CNA-submitted scores (RAXE assessment).

2. Monitor FIRST.org EPSS. Exploitation probability scores will become available once the CVEs are ingested (RAXE assessment).

3. Watch for further vulnerabilities in @siteboon/claude-code-ui. The systemic use of shell string interpolation across multiple code paths suggests further instances may exist beyond the three documented CVEs (RAXE assessment).

11. Indicators of Compromise

The following indicators are behavioural and network-based. No file-hash IOCs are applicable because the attack uses the application's own functionality (RAXE assessment).

12. Strategic Context

AI Coding Tool Supply Chain Risk

This cluster finding illustrates a specific and recurring risk pattern in the AI developer tooling ecosystem: community-built web interfaces wrapping vendor CLI tools (RAXE assessment). @siteboon/claude-code-ui provides a browser-based UI for Anthropic's Claude Code CLI (npm registry). The package is not developed or maintained by Anthropic -- it is a third-party wrapper maintained by a single individual (npm registry). The package name's inclusion of "claude-code" creates confusion risk regarding its provenance and security assurances (RAXE assessment).

Systemic Coding Pattern

The root cause across all three CVEs -- shell command construction via string interpolation rather than process spawning with argument arrays -- is one of the most well-documented insecure coding patterns in web application security. Its presence across multiple code paths in a single package (WebSocket handlers, git API routes, user configuration routes) indicates a systemic absence of secure coding practices rather than an isolated lapse (RAXE assessment). The remediation pattern applied in all three fix commits (replacing shell-mode invocation with spawn() using shell: false) is the canonical mitigation for CWE-78 and CWE-77 in Node.js environments (GHSA advisories).

Default Credential Risk in Developer Tools

The hardcoded JWT secret pattern (CWE-1188) documented in CVE-2026-31975 is particularly dangerous because the default value is embedded in publicly available source code (GHSA-gv8f-wpm2-m5wr). Developer-facing tools are frequently deployed with default configurations under the assumption that they operate in trusted network environments. When such tools are exposed to untrusted networks -- whether through misconfiguration, cloud deployment, or VPN access -- default credentials become unauthenticated access vectors (RAXE assessment).

MITRE ATLAS Mapping

This finding maps to MITRE ATLAS technique AML.T0010.001 -- AI Supply Chain Compromise: AI Software (RAXE assessment). The technique describes compromise of AI-related software components in the supply chain. @siteboon/claude-code-ui is an AI-adjacent software component (a UI for an AI coding assistant) distributed via npm, and its vulnerabilities enable compromise of systems where it is deployed (RAXE assessment). The MITRE ATT&CK mappings T1190 (Exploit Public-Facing Application), T1059.004 (Unix Shell), and T1078 (Valid Accounts -- forged JWT) describe the individual attack techniques used across the three CVEs (RAXE assessment).

Disclosure Timeline

Reporter Credits

13. References

1. GHSA-gv8f-wpm2-m5wr -- @siteboon/claude-code-ui Unauthenticated RCE via WebSocket Shell Injection (GHSA)
2. GHSA-f2fc-vc88-6w7q -- @siteboon/claude-code-ui Command Injection via Multiple Parameters (GHSA)
3. GHSA-7fv4-fmmc-86g2 -- @siteboon/claude-code-ui Shell Command Injection in Git Routes (GHSA)
4. @siteboon/claude-code-ui -- npm registry (npm)
5. Fix Commit -- CVE-2026-31975: siteboon/claudecodeui@12e7f07 (GitHub)
6. Fix Commit -- CVE-2026-31862: siteboon/claudecodeui@55567f4 (referenced in GHSA-f2fc-vc88-6w7q; commit not publicly accessible as of 2026-03-11)
7. Fix Commit -- CVE-2026-31861: siteboon/claudecodeui@86c33c1 (GitHub)
8. MITRE ATLAS: AML.T0010.001 -- AI Supply Chain Compromise: AI Software (MITRE ATLAS)