Description
Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.
Published: 2026-03-20
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: User Consent Evasion
Action: Apply Patch
AI Analysis

Impact

Claude Code, an agentic coding tool, has a flaw that allows a malicious repository to bypass the workspace trust confirmation dialog. Prior to version 2.1.53, the tool reads permission settings from a repo‑controlled file (.claude/settings.json) before showing the confirmation prompt. An attacker can set permissions.defaultMode to bypassPermissions, causing the dialog to be skipped automatically, placing a user into a permissive mode without explicit warning and enabling code execution within the tool. This weakness corresponds to CWE‑807, which involves indirect information leakage through misconfigured permissions.

Affected Systems

Anthropics’ Claude Code is affected, specifically all releases prior to version 2.1.53, regardless of the underlying operating system. Users running any of those vulnerable releases that open untrusted repositories are at risk.

Risk and Exploitability

The CVSS v3 score of 7.7 indicates high severity, while the EPSS score of less than 1% suggests that exploitation attempts are currently infrequent. The vulnerability is not listed in CISA’s known exploited vulnerabilities catalog. Exploitability requires an attacker to host a malicious repository that contains a crafted .claude/settings.json file; the attacker needs only repository access and the user must open that repository in Claude Code. No further user interaction beyond opening the repo is required, and the bypass occurs silently, making the risk significant for users who do not verify repository trust.

Generated by OpenCVE AI on March 24, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Claude Code to version 2.1.53 or later

Generated by OpenCVE AI on March 24, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mmgp-wc2j-qcv7 Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File
History

Tue, 24 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Code
CPEs cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*
Vendors & Products Anthropic
Anthropic claude Code
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics claude Code
Vendors & Products Anthropics
Anthropics claude Code

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.
Title Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File
Weaknesses CWE-807
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Code
Anthropics Claude Code
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T13:48:36.014Z

Reserved: 2026-03-17T19:27:06.343Z

Link: CVE-2026-33068

cve-icon Vulnrichment

Updated: 2026-03-20T13:48:31.483Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T09:16:15.017

Modified: 2026-03-24T15:46:36.440

Link: CVE-2026-33068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:53Z

Weaknesses