CVE-2026-33068
HIGH
GHSA-mmgp-wc2j-qcv7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Claude Code resolved the permission mode from settings files, including the repo-controlled `.claude/settings.json`, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set `permissions.defaultMode` to `bypassPermissions` in its committed `.claude/settings.json`, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version. Thank you to hackerone.com/cantina_xyz for reporting this issue.
Analysis
Claude Code, an AI coding assistant, contains an authentication bypass vulnerability where malicious repositories can silently skip the workspace trust confirmation dialog by setting permissions.defaultMode to bypassPermissions in a committed .claude/settings.json file. This affects users of the @anthropic-ai/claude-code npm package who open untrusted repositories. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all internal use of @anthropic-ai/claude-code npm package and identify affected development teams. Within 7 days: Issue security advisory to developers prohibiting Claude Code usage on untrusted/external repositories and enforce code review policies for repository sources. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today