GHSA-q5hj-mxqh-vv77
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q5hj-mxqh-vv77
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-q5hj-mxqh-vv77/GHSA-q5hj-mxqh-vv77.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q5hj-mxqh-vv77
- Aliases
-
- CVE-2026-40068
- Published
- 2026-04-24T16:34:03Z
- Modified
- 2026-05-08T15:50:36.976042Z
- Severity
-
- 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution
- Details
-
Claude Code used the git worktree
commondirfile when determining folder trust but did not validate its contents. By crafting a repository with acommondirfile pointing to a path the victim had previously trusted, an attacker could bypass the trust dialog and immediately execute malicious hooks defined in.claude/settings.json. Exploiting this required the victim to clone a malicious repository and run Claude Code within it, and for the attacker to know or guess a path the victim had already trusted.Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.
Claude Code thanks hackerone.com/masato_anzai for reporting this issue.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-04-24T16:34:03Z", "cwe_ids": [ "CWE-20", "CWE-77" ], "severity": "HIGH", "nvd_published_at": "2026-05-05T21:16:23Z" }- References
Affected packages
npm / @anthropic-ai/claude-code
Package
- Name
- @anthropic-ai/claude-code
- View open source insights on deps.dev
- Purl
- pkg:npm/%40anthropic-ai/claude-code