CVE-2026-33068

Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*

History

24 Mar 2026, 15:46

Type	Values Removed	Values Added
First Time		Anthropic Anthropic claude Code
References	~~() https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7 -~~	() https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:anthropic:claude_code::::::node.js::*
Summary		(es) Claude Code es una herramienta de codificación agéntica. Las versiones anteriores a la 2.1.53 resolvían el modo de permiso a partir de archivos de configuración, incluyendo el .claude/settings.json controlado por el repositorio, antes de determinar si mostrar el diálogo de confirmación de confianza del espacio de trabajo. Un repositorio malicioso podría establecer permissions.defaultMode a bypassPermissions en su .claude/settings.json confirmado, causando que el diálogo de confianza se omitiera silenciosamente en la primera apertura. Esto permitía que un usuario fuera colocado en un modo permisivo sin ver la solicitud de confirmación de confianza, facilitando que un repositorio controlado por un atacante obtuviera la ejecución de la herramienta sin el consentimiento explícito del usuario. Este problema ha sido parcheado en la versión 2.1.53.

20 Mar 2026, 09:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 09:16

Updated : 2026-03-24 15:46

NVD link : CVE-2026-33068

Mitre link : CVE-2026-33068

CVE.ORG link : CVE-2026-33068

JSON object : View

Products Affected

anthropic

claude_code

CWE

CWE-807

Reliance on Untrusted Inputs in a Security Decision

8.8 /10