CVE-2026-33068
Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File
In short
Claude Code skipped its security dialog when opening untrusted repositories if they contained a malicious settings file. This allowed attackers to execute code on a user's computer without the user seeing a warning prompt.
Technical detail
CWE-807 (Reliance on Untrusted Inputs in a Security Decision): Claude Code versions <2.1.53 resolved permissions from repo-controlled .claude/settings.json before evaluating workspace trust, allowing a malicious repository to set permissions.defaultMode to bypassPermissions and suppress the trust confirmation dialog. The attack requires user interaction (opening the repository) but bypasses the explicit security control designed to require informed consent.
Summary generated and translated by AI from the official description.
Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
anthropics · claude-codeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →