CVE-2026-31975: @siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection
Three chained vulnerabilities allow unauthenticated remote code execution on any claudecodeui instance running with default configuration. No account, credentials, or prior access is required.
The root cause of RCE is OS command injection (CWE-78) in the WebSocket shell handler. Authentication is bypassed by combining an insecure default JWT secret (CWE-1188) with a WebSocket authentication function that skips database user validation (CWE-287).
References
- github.com/advisories/GHSA-gv8f-wpm2-m5wr
- github.com/siteboon/claudecodeui
- github.com/siteboon/claudecodeui/commit/12e7f074d9563b3264caf9cec6e1b701c301af26
- github.com/siteboon/claudecodeui/releases/tag/v1.25.0
- github.com/siteboon/claudecodeui/security/advisories/GHSA-gv8f-wpm2-m5wr
- nvd.nist.gov/vuln/detail/CVE-2026-31975
Code Behaviors & Features
Detect and mitigate CVE-2026-31975 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →