{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33068", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.343Z", "datePublished": "2026-03-20T08:17:47.794Z", "dateUpdated": "2026-03-20T13:48:36.014Z"}, "containers": {"cna": {"title": "Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File", "problemTypes": [{"descriptions": [{"cweId": "CWE-807", "lang": "en", "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7"}], "affected": [{"vendor": "anthropics", "product": "claude-code", "versions": [{"version": "< 2.1.53", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:17:47.794Z"}, "descriptions": [{"lang": "en", "value": "Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53."}], "source": {"advisory": "GHSA-mmgp-wc2j-qcv7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T13:48:28.263574Z", "id": "CVE-2026-33068", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:48:36.014Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33068", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T13:48:28.263574Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:48:31.483Z"}}], "cna": {"title": "Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File", "source": {"advisory": "GHSA-mmgp-wc2j-qcv7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "anthropics", "product": "claude-code", "versions": [{"status": "affected", "version": "< 2.1.53"}]}], "references": [{"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7", "name": "https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-807", "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:17:47.794Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33068", "state": "PUBLISHED", "dateUpdated": "2026-03-20T13:48:36.014Z", "dateReserved": "2026-03-17T19:27:06.343Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T08:17:47.794Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "34F44949-22D3-4942-9E99-11AEF660111F", "versionEndExcluding": "2.1.53", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53."}, {"lang": "es", "value": "Claude Code es una herramienta de codificaci\u00f3n ag\u00e9ntica. Las versiones anteriores a la 2.1.53 resolv\u00edan el modo de permiso a partir de archivos de configuraci\u00f3n, incluyendo el .claude/settings.json controlado por el repositorio, antes de determinar si mostrar el di\u00e1logo de confirmaci\u00f3n de confianza del espacio de trabajo. Un repositorio malicioso podr\u00eda establecer permissions.defaultMode a bypassPermissions en su .claude/settings.json confirmado, causando que el di\u00e1logo de confianza se omitiera silenciosamente en la primera apertura. Esto permit\u00eda que un usuario fuera colocado en un modo permisivo sin ver la solicitud de confirmaci\u00f3n de confianza, facilitando que un repositorio controlado por un atacante obtuviera la ejecuci\u00f3n de la herramienta sin el consentimiento expl\u00edcito del usuario. Este problema ha sido parcheado en la versi\u00f3n 2.1.53."}], "id": "CVE-2026-33068", "lastModified": "2026-03-24T15:46:36.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T09:16:15.017", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-807"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.53)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "claude-code", "source": "cna", "vendor": "anthropics"}, "product": "claude_code", "vendor": "anthropics"}], "analysis": {"en": {"generated_at": "2026-03-24T17:28:36.239181+00:00", "value": {"mitigation_remediation": ["Upgrade Claude Code to version 2.1.53 or later"], "summary": {"action": "Apply Patch", "impact": "User Consent Evasion"}, "threat_synthesis": {"affected_systems": "Anthropics\u2019 Claude Code is affected, specifically all releases prior to version 2.1.53, regardless of the underlying operating system. Users running any of those vulnerable releases that open untrusted repositories are at risk.", "description_and_impact": "Claude Code, an agentic coding tool, has a flaw that allows a malicious repository to bypass the workspace trust confirmation dialog. Prior to version 2.1.53, the tool reads permission settings from a repo\u2011controlled file (.claude/settings.json) before showing the confirmation prompt. An attacker can set permissions.defaultMode to bypassPermissions, causing the dialog to be skipped automatically, placing a user into a permissive mode without explicit warning and enabling code execution within the tool. This weakness corresponds to CWE\u2011807, which involves indirect information leakage through misconfigured permissions.", "risk_and_exploitability": "The CVSS v3 score of 7.7 indicates high severity, while the EPSS score of less than 1% suggests that exploitation attempts are currently infrequent. The vulnerability is not listed in CISA\u2019s known exploited vulnerabilities catalog. Exploitability requires an attacker to host a malicious repository that contains a crafted .claude/settings.json file; the attacker needs only repository access and the user must open that repository in Claude Code. No further user interaction beyond opening the repo is required, and the bypass occurs silently, making the risk significant for users who do not verify repository trust."}}}}, "created": "2026-03-20T10:36:38.292011+00:00", "updated": "2026-03-25T14:29:53.384042+00:00", "vendors": ["anthropics", "anthropics$PRODUCT$claude_code"]}