CVE-2026-33068

Published: Mar 20, 2026 Last Modified: Mar 20, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,7
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: passive
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.

807

Reliance on Untrusted Inputs in a Security Decision

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Access Control Availability Other
Potential Impacts:
Bypass Protection Mechanism Gain Privileges Or Assume Identity Varies By Context
Applicable Platforms
Technologies: Not Technology-Specific, Web Based, Web Server
Likelihood of Exploit: High
View CWE Details
https://github.com/anthropics/claude-code/security/advisori…
https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qc…