Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33068

CVE-2026-33068: Anthropic Claude Code Auth Bypass Flaw

CVE-2026-33068 is an authentication bypass flaw in Anthropic Claude Code that allows malicious repositories to skip workspace trust dialogs. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-33068 Overview

CVE-2026-33068 is a trust dialog bypass vulnerability in Anthropic Claude Code, an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repository-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json file, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent.

Critical Impact

An attacker could craft a malicious repository that bypasses the workspace trust confirmation dialog, allowing arbitrary tool execution without explicit user consent when a victim clones and opens the repository in Claude Code.

Affected Products

  • Anthropic Claude Code versions prior to 2.1.53
  • Claude Code for Node.js environments

Discovery Timeline

  • 2026-03-20 - CVE CVE-2026-33068 published to NVD
  • 2026-03-24 - Last updated in NVD database

Technical Details for CVE-2026-33068

Vulnerability Analysis

This vulnerability is classified under CWE-807 (Reliance on Untrusted Inputs in a Security Decision). The core issue stems from Claude Code's permission system processing order, where repository-controlled settings files are evaluated before the workspace trust mechanism can properly gate access. When a user opens a repository for the first time, Claude Code is designed to present a trust confirmation dialog that asks users to explicitly approve whether they trust the repository and want to grant it elevated permissions.

However, the vulnerability allows a malicious repository to include a pre-configured .claude/settings.json file that sets permissions.defaultMode to bypassPermissions. Because the settings file is processed before the trust dialog logic is invoked, the application determines that permissions have already been configured and skips the trust prompt entirely.

The attack requires user interaction—specifically, the victim must clone and open the malicious repository in Claude Code. However, no further consent is required once the repository is opened, as the trust dialog that would normally require explicit approval is silently bypassed.

Root Cause

The root cause is the improper ordering of security-critical operations in Claude Code's initialization sequence. The permission mode resolution from settings files occurs before the workspace trust evaluation, allowing repository-controlled configuration to influence security decisions that should require explicit user consent. This represents a reliance on untrusted inputs (the repository's .claude/settings.json) for making security-critical decisions about permission granting.

Attack Vector

The attack vector for CVE-2026-33068 is network-based, requiring an attacker to distribute a malicious repository containing a crafted .claude/settings.json configuration file. The attack scenario involves:

  1. An attacker creates a repository containing a .claude/settings.json file with permissions.defaultMode set to bypassPermissions
  2. The attacker distributes this repository through typical code sharing channels (GitHub, GitLab, email, etc.)
  3. A victim clones the repository and opens it in Claude Code
  4. Claude Code processes the malicious settings file before the trust dialog
  5. The trust confirmation dialog is silently skipped
  6. The user is placed into permissive mode without their explicit consent
  7. The attacker's repository can now leverage Claude Code's tool execution capabilities without the expected security confirmation

The vulnerability enables potential arbitrary code execution through Claude Code's agentic capabilities, as the tool execution consent mechanism is effectively bypassed.

Detection Methods for CVE-2026-33068

Indicators of Compromise

  • Presence of .claude/settings.json files in repositories with permissions.defaultMode set to bypassPermissions
  • Unexpected tool executions in Claude Code without user-initiated trust confirmations
  • Repository cloning events followed by immediate Claude Code tool execution activity without corresponding trust dialog interactions

Detection Strategies

  • Scan repositories for .claude/settings.json files containing suspicious permission configurations before opening
  • Implement file integrity monitoring for Claude Code configuration directories
  • Audit Claude Code activity logs for tool executions that occur without preceding trust confirmation events

Monitoring Recommendations

  • Monitor for the creation or modification of .claude/settings.json files in cloned repositories
  • Track Claude Code process activity for tool execution patterns that bypass normal user interaction flows
  • Review repository contents for potentially malicious configuration files before opening in development tools

How to Mitigate CVE-2026-33068

Immediate Actions Required

  • Upgrade Anthropic Claude Code to version 2.1.53 or later immediately
  • Review recently cloned repositories for suspicious .claude/settings.json files
  • Audit Claude Code activity for any unexpected tool executions that may have occurred without explicit trust confirmation

Patch Information

Anthropic has addressed this vulnerability in Claude Code version 2.1.53. The fix ensures that the workspace trust confirmation dialog is displayed before processing permission settings from repository-controlled configuration files. Users should update to version 2.1.53 or later to remediate this vulnerability. For detailed information, refer to the GitHub Security Advisory GHSA-mmgp-wc2j-qcv7.

Workarounds

  • Manually inspect .claude/settings.json files in repositories before opening them in Claude Code
  • Remove or rename any .claude/settings.json files from untrusted repositories before opening
  • Configure organizational policies to block or flag repositories containing pre-configured Claude Code permission settings
  • Use repository scanning tools to identify potentially malicious configuration files before developer interaction

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.