CVE-2026-33068
- Source
- https://cve.org/CVERecord?id=CVE-2026-33068
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33068.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-33068
- Aliases
- Published
- 2026-03-20T08:17:47.794Z
- Modified
- 2026-04-02T13:26:58.896885Z
- Severity
-
- 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File
- Details
-
Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33068.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-807" ] }- References
Affected packages
Git / github.com/anthropics/claude-code
Affected versions
v2.*
v2.0.73
v2.0.74
v2.0.76
v2.1.0
v2.1.1
v2.1.11
v2.1.12
v2.1.14
v2.1.15
v2.1.16
v2.1.17
v2.1.19
v2.1.2
v2.1.20
v2.1.21
v2.1.22
v2.1.23
v2.1.25
v2.1.27
v2.1.29
v2.1.3
v2.1.30
v2.1.31
v2.1.32
v2.1.33
v2.1.34
v2.1.36
v2.1.37
v2.1.38
v2.1.39
v2.1.4
v2.1.41
v2.1.42
v2.1.44
v2.1.45
v2.1.47
v2.1.49
v2.1.5
v2.1.50
v2.1.51
v2.1.52
v2.1.6
v2.1.7
v2.1.9