Skip to main content

Claude Code EUVDEUVD-2026-27502

| CVE-2026-40068 HIGH
Improper Input Validation (CWE-20)
2026-04-24 https://github.com/anthropics/claude-code GHSA-q5hj-mxqh-vv77
7.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Patch available
May 05, 2026 - 22:02 EUVD
Re-analysis Queued
May 05, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
May 05, 2026 - 21:22 NVD
7.7 (HIGH)
Analysis Generated
Apr 24, 2026 - 17:30 vuln.today
Analysis Generated
Apr 24, 2026 - 17:00 vuln.today
CVE Published
Apr 24, 2026 - 16:34 nvd
HIGH

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @anthropic-ai/claude-code (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.1.63.

DescriptionGitHub Advisory

Claude Code used the git worktree commondir file when determining folder trust but did not validate its contents. By crafting a repository with a commondir file pointing to a path the victim had previously trusted, an attacker could bypass the trust dialog and immediately execute malicious hooks defined in .claude/settings.json. Exploiting this required the victim to clone a malicious repository and run Claude Code within it, and for the attacker to know or guess a path the victim had already trusted.

Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.

Claude Code thanks hackerone.com/masato_anzai for reporting this issue.

AnalysisAI

Claude Code's trust bypass vulnerability allows execution of malicious hooks through manipulated git worktree configuration files. Attackers who can trick victims into cloning a crafted repository can bypass the folder trust dialog by pointing the commondir file to a previously-trusted path, enabling immediate execution of arbitrary code via .claude/settings.json hooks. The attack requires the attacker to know or correctly guess a path the victim has already trusted, limiting exploitation to targeted scenarios. Auto-update users have already received the patch; manual installation users should upgrade immediately.

Technical ContextAI

This vulnerability exploits Claude Code's trust boundary mechanism for git repositories. Git worktrees use a commondir file to reference a shared git directory across multiple working trees. Claude Code validated folder trust by checking this file but failed to sanitize or validate its contents before dereferencing the path. An attacker could craft a repository where commondir points to an arbitrary path the victim had previously marked as trusted (such as a legitimate project directory), thereby inheriting that trust level. Once trust is established, Claude Code would process .claude/settings.json hook configurations without prompting, executing attacker-controlled commands. This represents a classic path traversal variant (CWE-20: Improper Input Validation) applied to trust boundary decisions rather than file access. The vulnerability is specific to Claude Code's integration with git worktree structures and its trust persistence mechanism.

RemediationAI

Users on standard Claude Code installations with auto-update enabled have already received the security patch and require no action. Users performing manual updates or those who have disabled automatic updates must immediately upgrade to the latest version of @anthropic-ai/claude-code from npm or GitHub. The official security advisory with detailed patch information is available at https://github.com/anthropics/claude-code/security/advisories/GHSA-q5hj-mxqh-vv77. As an interim workaround until patching, users can avoid opening untrusted or newly-cloned repositories in Claude Code, particularly those from unknown sources or unsolicited sharing. Security-conscious organizations should audit which repositories employees are cloning and consider implementing repository allowlisting. Note that simply avoiding malicious repositories eliminates the attack vector, but this is not a sustainable long-term mitigation compared to applying the vendor patch.

Share

EUVD-2026-27502 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy