CVE-2026-47092

Vulnerability

Overview

Claude HUD versions through 0.0.12 contain a command injection vulnerability (CVE-2026-47092) that enables local attackers to execute arbitrary code on Windows systems. The root cause is that the application uses the COMSPEC environment variable to locate cmd.exe for a version check, but does not validate the variable's value. An attacker can set COMSPEC to point to any executable before launching Claude HUD, causing execFile() to run the attacker-supplied binary with arguments intended for cmd.exe [1][2][4].

Exploitation

Prerequisites

Exploitation requires local access to the Windows machine and the ability to set environment variables before the Claude HUD process starts. No authentication is needed beyond the local user session. The attack surface is limited to Windows because COMSPEC is a Windows-specific environment variable that typically points to cmd.exe. The vulnerability is triggered during the version check that occurs when Claude HUD initializing the HUD [3][4].

Impact

A successful attack can achieve arbitrary code execution in the context of the Claude HUD process. This could allow the attacker to compromise the user's system, install malware, or access sensitive data, or perform other malicious actions with the privileges of the logged-in user. The CVSS v3 score of 7.8 (High) reflects the local attack vector, low complexity, and high impact on confidentiality, integrity, and availability [1][3][4].

Mitigation

The vulnerability is patched in commit 234d9aa, which hardens the Windows version lookup by not relying on the untrusted COMSPEC variable. Users should update to a version that includes this commit or later. No workaround is available other than restricting local access to trusted users [1][2][4].