{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33068", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.343Z", "datePublished": "2026-03-20T08:17:47.794Z", "dateUpdated": "2026-03-20T13:48:36.014Z"}, "containers": {"cna": {"title": "Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File", "problemTypes": [{"descriptions": [{"cweId": "CWE-807", "lang": "en", "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7"}], "affected": [{"vendor": "anthropics", "product": "claude-code", "versions": [{"version": "< 2.1.53", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:17:47.794Z"}, "descriptions": [{"lang": "en", "value": "Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53."}], "source": {"advisory": "GHSA-mmgp-wc2j-qcv7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T13:48:28.263574Z", "id": "CVE-2026-33068", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:48:36.014Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33068", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T13:48:28.263574Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:48:31.483Z"}}], "cna": {"title": "Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File", "source": {"advisory": "GHSA-mmgp-wc2j-qcv7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "anthropics", "product": "claude-code", "versions": [{"status": "affected", "version": "< 2.1.53"}]}], "references": [{"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7", "name": "https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-807", "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:17:47.794Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33068", "state": "PUBLISHED", "dateUpdated": "2026-03-20T13:48:36.014Z", "dateReserved": "2026-03-17T19:27:06.343Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T08:17:47.794Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "34F44949-22D3-4942-9E99-11AEF660111F", "versionEndExcluding": "2.1.53", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53."}, {"lang": "es", "value": "Claude Code es una herramienta de codificaci\u00f3n ag\u00e9ntica. Las versiones anteriores a la 2.1.53 resolv\u00edan el modo de permiso a partir de archivos de configuraci\u00f3n, incluyendo el .claude/settings.json controlado por el repositorio, antes de determinar si mostrar el di\u00e1logo de confirmaci\u00f3n de confianza del espacio de trabajo. Un repositorio malicioso podr\u00eda establecer permissions.defaultMode a bypassPermissions en su .claude/settings.json confirmado, causando que el di\u00e1logo de confianza se omitiera silenciosamente en la primera apertura. Esto permit\u00eda que un usuario fuera colocado en un modo permisivo sin ver la solicitud de confirmaci\u00f3n de confianza, facilitando que un repositorio controlado por un atacante obtuviera la ejecuci\u00f3n de la herramienta sin el consentimiento expl\u00edcito del usuario. Este problema ha sido parcheado en la versi\u00f3n 2.1.53."}], "id": "CVE-2026-33068", "lastModified": "2026-03-24T15:46:36.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T09:16:15.017", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-807"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.53)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "claude-code", "source": "cna", "vendor": "anthropics"}, "product": "claude_code", "vendor": "anthropics"}], "analysis": {"en": {"generated_at": "2026-03-20T09:22:54.246589+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch to update Claude Code to version 2.1.53 or later."], "summary": {"action": "Immediate Patch", "impact": "Execution of malicious code without user consent"}, "threat_synthesis": {"affected_systems": "The affected product is anthropics:claude-code, specifically versions prior to 2.1.53. The vulnerability was addressed in release 2.1.53, which introduced checks to resolve permission mode before displaying the workspace trust dialog.", "description_and_impact": "Claude Code, an agentic coding tool, had a flaw in versions prior to 2.1.53 where the permission mode from settings files\u2014including the repository\u2011controlled .claude/settings.json\u2014was determined before the workspace trust confirmation dialog was shown. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed settings file, causing the trust dialog to be silently skipped on first open. This allowed an attacker to place a user into a permissive mode without any visible confirmation, enabling tool execution without explicit user consent. The weakness is classified under CWE\u2011807, reflecting improper authorization or trust handling.", "risk_and_exploitability": "The CVSS base score is 7.7, indicating high severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a repository containing a committed .claude/settings.json that sets permissions.defaultMode to bypassPermissions. The attack vector is essentially a malicious repository that the user opens in Claude Code; no user interaction beyond opening the repository is required because the trust dialog is suppressed automatically. Consequently, the risk is high within environments that accept untrusted repositories without additional verification."}}}}, "created": "2026-03-20T10:36:38.292011+00:00", "updated": "2026-03-20T16:27:44.370788+00:00", "vendors": ["anthropics", "anthropics$PRODUCT$claude_code"]}