CVE-2026-33068
Published: 20 March 2026
Description
Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions…
more
in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted inputs from repository-controlled .claude/settings.json to prevent malicious permissions.defaultMode from bypassing the workspace trust confirmation dialog.
Ensures access control decisions, such as displaying the trust dialog before permissive mode, are not subverted by untrusted inputs from malicious repository settings files.
Enforces least privilege by requiring explicit user consent through the trust dialog, limiting damage from unauthorized permissive tool execution even if settings are manipulated.
Security SummaryAI
CVE-2026-33068 is a vulnerability in Claude Code, an agentic coding tool from Anthropic, affecting versions prior to 2.1.53. The issue arises because the tool resolves the permission mode from settings files, including the repository-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository can commit a .claude/settings.json file setting permissions.defaultMode to bypassPermissions, which causes the trust dialog to be silently skipped upon first opening the repository. This flaw is classified under CWE-807 (Reliance on Untrusted Inputs in a Security Decision) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Attackers who control a repository can exploit this vulnerability by embedding the malicious settings file in their code. Victims, such as developers who clone or open the attacker-controlled repository in Claude Code, would unknowingly enter permissive mode without the trust confirmation prompt. This enables the repository to gain tool execution privileges without explicit user consent, potentially allowing arbitrary code execution or other malicious actions within the tool's environment.
The vulnerability has been patched in Claude Code version 2.1.53. Additional details on the fix and affected versions are available in the GitHub security advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Matched keywords: claude, claude, claude
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exploits a flaw in the client-side Claude Code tool, allowing malicious repository settings to bypass the workspace trust dialog and enable arbitrary code execution without user consent.