A CVSS 9.4 CVE hit Claude Code CI/CD pipelines in April 2026 — crafted PR titles exfiltrating API keys. Most workflows are still unpatched. Here's the five-control fix.