CVE-2026-33068 in claude-code
Summary
by MITRE • 03/20/2026
Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability described in CVE-2026-33068 affects Claude Code, an agentic coding tool that operates within development environments to assist with software creation tasks. This security flaw represents a critical trust boundary violation that undermines the fundamental security model of the application. The issue stems from a flawed order of operations in how the tool processes configuration settings, specifically those related to permission modes. Prior to version 2.1.53, the application executed permission mode resolution from settings files before performing essential security checks that would normally prompt users for workspace trust confirmation. This sequence of operations creates a dangerous condition where malicious actors can manipulate the tool's behavior through committed configuration files, effectively subverting the intended security controls that protect users from potentially harmful repositories.
The technical implementation of this vulnerability involves the manipulation of the .claude/settings.json file within git repositories, which is a common practice for storing tool-specific configurations in modern development workflows. When a repository contains a settings.json file with permissions.defaultMode set to "bypassPermissions", the application processes this setting before evaluating whether workspace trust should be confirmed. This premature resolution of permission settings allows attackers to establish a permissive execution environment without user awareness or explicit consent. The vulnerability operates at the intersection of configuration management and access control, where the tool's security model fails to properly validate the source and integrity of configuration data before applying it. This flaw aligns with CWE-284, which addresses improper access control, and demonstrates how configuration-based privilege escalation can occur when security checks are improperly sequenced.
The operational impact of this vulnerability extends beyond simple permission bypass to encompass a broader compromise of user security posture within development environments. Users who open repositories containing malicious settings files are unknowingly placed into a permissive mode that allows potentially harmful code execution without any visible warning or confirmation. This creates an ideal environment for social engineering attacks where attackers can craft repositories that appear legitimate while silently establishing backdoors or execution capabilities. The vulnerability particularly affects developers who frequently switch between multiple repositories, as the trust confirmation dialog becomes ineffective when repositories are configured to bypass permissions. From an attacker's perspective, this represents a low-effort, high-impact vector that leverages the trust developers place in version-controlled repositories, effectively exploiting the implicit assumption that repository contents are benign until explicitly verified.
Security mitigations for this vulnerability require both immediate patching and enhanced operational security practices. The primary fix involves updating to version 2.1.53 or later, which corrects the order of operations to ensure workspace trust confirmation occurs before permission mode resolution. Organizations should implement repository scanning procedures to detect malicious settings files, particularly those that set permissions.defaultMode to bypassPermissions. Additionally, development teams should establish security policies that require explicit review of configuration files in repositories before trusting them. The vulnerability highlights the importance of proper input validation and security check sequencing, as outlined in the ATT&CK framework's privilege escalation techniques. Security practitioners should also consider implementing automated tools that monitor for suspicious permission settings in version-controlled repositories, as this represents a pattern that could be exploited across similar development tools. Regular security awareness training for developers about the risks of untrusted repository configurations can further reduce the attack surface and improve overall security hygiene.