{"id":"GHSA-mmgp-wc2j-qcv7","summary":"Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File","details":"Claude Code resolved the permission mode from settings files, including the repo-controlled `.claude/settings.json`, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set `permissions.defaultMode` to `bypassPermissions` in its committed `.claude/settings.json`, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent.\n\nUsers on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.\n\nThank you to hackerone.com/cantina_xyz for reporting this issue.","aliases":["CVE-2026-33068"],"modified":"2026-03-20T21:33:50.318924Z","published":"2026-03-19T12:42:09Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2026-03-19T12:42:09Z","severity":"HIGH","nvd_published_at":"2026-03-20T09:16:15Z","cwe_ids":["CWE-807"]},"references":[{"type":"WEB","url":"https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33068"},{"type":"PACKAGE","url":"https://github.com/anthropics/claude-code"}],"affected":[{"package":{"name":"@anthropic-ai/claude-code","ecosystem":"npm","purl":"pkg:npm/%40anthropic-ai/claude-code"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.1.53"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mmgp-wc2j-qcv7/GHSA-mmgp-wc2j-qcv7.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}