CVE-2026-45136: claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.
Summary
claude-code-cache-fix is a tool that speeds up Claude Code by caching results. Versions 3.5.0 through 3.5.1 have a code injection vulnerability (CWE-94, inserting malicious code into a program) in a file called tools/quota-statusline.sh, where user input containing certain byte sequences (''') can break out of a Python string and execute arbitrary code on the user's system. This is a high-severity bug that affects local attackers who can control the input to Claude Code.
Solution / Mitigation
This vulnerability is fixed in version 3.5.2. Users should update to claude-code-cache-fix 3.5.2 or later.
Vulnerability Details
EPSS: 0.0%
May 27, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-45136
First tracked: May 28, 2026 at 02:08 AM
Classified by LLM (prompt v3) · confidence: 92%