Description
In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code to bypass its trust confirmation dialog and immediately execute hooks defined in `.claude/settings.json`. Exploitation requires the victim to clone the malicious repository and run Claude Code within it, and the attacker must know or guess a path the victim had already trusted. This issue has been fixed in version 2.1.84.
Published: 2026-05-05
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Claude Code versions 2.1.63 through 2.1.83 allows an attacker to cause the application to execute arbitrary code by manipulating the git worktree commondir file. The vulnerability relies on missing validation of the commondir contents, which permits the attacker to point the file at a directory the victim has previously marked as trusted. When the application launches, it bypasses the security confirmation dialog and runs hooks defined in .claude/settings.json, resulting in remote code execution.

Affected Systems

Anthropic’s Claude Code, specifically versions 2.1.63 to 2.1.83, are vulnerable. The flaw affects any users who clone a malicious repository containing a crafted commondir file and subsequently run Claude Code within that repository.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity. Exploitation requires the victim to clone the attacker‑crafted repository and run the application within it, and the attacker must know or guess a previously trusted path. There is no current evidence of public exploitation or inclusion in the CISA KEV catalog, and the EPSS score is unavailable. Nonetheless, the potential for arbitrary code execution warrants immediate attention.

Generated by OpenCVE AI on May 5, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Claude Code to version 2.1.84 or later, which contains the security fix.
  • If an upgrade cannot be applied immediately, do not run Claude Code inside any directories that contain untrusted git repositories or remove unsanitized hooks from .claude/settings.json before execution.
  • Resynchronize or revoke trust relationships for suspect paths to prevent further bypass of the confirmation dialog.

Generated by OpenCVE AI on May 5, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q5hj-mxqh-vv77 Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution
History

Tue, 05 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics claude Code
Vendors & Products Anthropics
Anthropics claude Code

Tue, 05 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code to bypass its trust confirmation dialog and immediately execute hooks defined in `.claude/settings.json`. Exploitation requires the victim to clone the malicious repository and run Claude Code within it, and the attacker must know or guess a path the victim had already trusted. This issue has been fixed in version 2.1.84.
Title Claude Code arbitrary code execution via git worktree commondir trust dialog bypass
Weaknesses CWE-20
CWE-77
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Anthropics Claude Code
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T20:52:26.089Z

Reserved: 2026-04-09T00:39:12.204Z

Link: CVE-2026-40068

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T21:16:23.093

Modified: 2026-05-05T21:16:23.093

Link: CVE-2026-40068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T22:30:33Z

Weaknesses