CVE-2026-33068

Description

Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:* - VULNERABLE

PoC / Exploit Code

No PoC code available.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33068
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33068
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33068/
[4] VulDB https://vuldb.com/cve/CVE-2026-33068
[5] https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33068", "sourceIdentifier": "[email protected]", "published": "2026-03-20T09:16:15.017", "lastModified": "2026-03-24T15:46:36.440", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53."}, {"lang": "es", "value": "Claude Code es una herramienta de codificación agéntica. Las versiones anteriores a la 2.1.53 resolvían el modo de permiso a partir de archivos de configuración, incluyendo el .claude/settings.json controlado por el repositorio, antes de determinar si mostrar el diálogo de confirmación de confianza del espacio de trabajo. Un repositorio malicioso podría establecer permissions.defaultMode a bypassPermissions en su .claude/settings.json confirmado, causando que el diálogo de confianza se omitiera silenciosamente en la primera apertura. Esto permitía que un usuario fuera colocado en un modo permisivo sin ver la solicitud de confirmación de confianza, facilitando que un repositorio controlado por un atacante obtuviera la ejecución de la herramienta sin el consentimiento explícito del usuario. Este problema ha sido parcheado en la versión 2.1.53."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-807"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2.1.53", "matchCriteriaId": "34F44949-22D3-4942-9E99-11AEF660111F"}]}]}], "references": [{"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}