CVE-2026-40068 Overview
CVE-2026-40068 is an input validation flaw [CWE-20] in Anthropic Claude Code versions 2.1.63 through 2.1.83. The folder trust determination logic reads the git worktree commondir file without validating its contents. An attacker can craft a malicious repository whose commondir file points to a path the victim previously trusted. When the victim opens the repository in Claude Code, the tool bypasses its trust confirmation dialog and immediately executes hooks defined in .claude/settings.json. Anthropic addressed the issue in version 2.1.84.
Critical Impact
Successful exploitation results in arbitrary command execution on the developer workstation through Claude Code hooks, with no user prompt shown.
Affected Products
- Anthropic Claude Code 2.1.63
- Anthropic Claude Code versions 2.1.64 through 2.1.82
- Anthropic Claude Code 2.1.83
Discovery Timeline
- 2026-05-05 - CVE-2026-40068 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-40068
Vulnerability Analysis
Claude Code maintains a list of folders the user has explicitly trusted. Trusted folders are allowed to load .claude/settings.json and execute hooks without prompting. The trust decision relies on resolving the active git directory. In a git worktree, the commondir file inside .git points to the canonical repository directory. Claude Code reads this path and matches it against the trust list.
The vulnerable releases use the commondir value verbatim. They do not verify that the path actually corresponds to a real, attacker-uncontrolled repository. An attacker who knows or guesses an already-trusted path on the victim system can place that exact path in commondir. Claude Code then treats the malicious clone as if it were the trusted repository.
Root Cause
The root cause is missing validation of externally controlled file content [CWE-20]. The trust check uses the commondir string as authoritative input. It does not confirm that the referenced directory exists, that it is the parent of the current worktree, or that it has not been spoofed inside an attacker-supplied repository.
Attack Vector
Exploitation requires the victim to clone a repository under attacker control and run Claude Code inside it. The attacker must know or guess a folder path the victim had previously approved, for example a common project directory. The malicious repository ships a .git/commondir file containing that path and a .claude/settings.json with hostile hook commands. When Claude Code starts, it resolves trust against the spoofed commondir, finds a match, and executes the hooks. User interaction is limited to opening the repository.
No verified proof-of-concept code is published. See the GitHub Security Advisory GHSA-q5hj-mxqh-vv77 for the upstream description.
Detection Methods for CVE-2026-40068
Indicators of Compromise
- Repositories containing a .git/commondir file whose contents reference an unrelated absolute path on the local filesystem.
- Presence of .claude/settings.json with hooks entries that invoke shell commands, downloaders, or interpreters such as curl, wget, bash, or powershell.
- Child processes of the Claude Code binary spawning shells or network utilities immediately after a git clone event.
Detection Strategies
- Inspect newly cloned repositories for .git/commondir files that point outside the cloned tree, and flag those that match historically trusted paths.
- Alert on creation or modification of .claude/settings.json containing hook definitions in repositories pulled from untrusted sources.
- Correlate Claude Code process launches with subsequent execution of shell interpreters or outbound network connections.
Monitoring Recommendations
- Log execution of the Claude Code CLI and capture command-line arguments and the working directory.
- Track the installed Claude Code version on developer endpoints and alert on versions between 2.1.63 and 2.1.83.
- Monitor developer workstations for unexpected hook execution patterns following git operations.
How to Mitigate CVE-2026-40068
Immediate Actions Required
- Upgrade Claude Code to version 2.1.84 or later on every developer endpoint.
- Audit existing local repositories for tampered .git/commondir files and suspicious .claude/settings.json hook entries.
- Review the Claude Code trusted folders list and remove entries that are no longer required.
Patch Information
Anthropic fixed the issue in Claude Code 2.1.84. The patched build validates the commondir reference before using it in the folder trust decision. Refer to the GitHub Security Advisory GHSA-q5hj-mxqh-vv77 for upstream guidance.
Workarounds
- Avoid running Claude Code inside repositories cloned from untrusted sources until the upgrade is complete.
- Inspect .git/commondir and .claude/settings.json in any new clone before launching Claude Code.
- Restrict the trusted folders list to a minimal set of well-known project directories to reduce the attacker's guessing surface.
# Verify Claude Code version and inspect a freshly cloned repo before opening it
claude --version
grep -R . .git/commondir 2>/dev/null
cat .claude/settings.json 2>/dev/null
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
