CVE-2026-33068
published 2026-03-20CVE-2026-33068: Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled…
PriorityP351high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.34%
25.6th percentile
Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anthropic-ai | claude-code | >= 0 < 2.1.53 | 2.1.53 |
| anthropic | claude_code | < 2.1.53 | 2.1.53 |
| anthropics | claude-code | < 2.1.53 | 2.1.53 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File
osv·2026-03-19
CVE-2026-33068 [HIGH] Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File
Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File
Claude Code resolved the permission mode from settings files, including the repo-controlled `.claude/settings.json`, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set `permissions.defaultMode` to `bypassPermissions` in its committed `.claude/settings.json`, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent.
Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to u
GHSA
Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File
ghsa·2026-03-19
CVE-2026-33068 [HIGH] CWE-807 Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File
Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File
Claude Code resolved the permission mode from settings files, including the repo-controlled `.claude/settings.json`, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set `permissions.defaultMode` to `bypassPermissions` in its committed `.claude/settings.json`, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent.
Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to u
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-25723 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-25723 [HIGH] CVE-2026-25723 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25723 :
Claude Code vulnerability analysis and mitigation
Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope. Exploiting this required the ability to execute commands through Claude Code with the "accept edits" feature enabled. This issue has been patched in version 2.0.55.
Source : NVD
## 7.7
Score
Published February 6, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Claude Code
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
E
Wiz
CVE-2026-24053 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-24053 [HIGH] CVE-2026-24053 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24053 :
Claude Code vulnerability analysis and mitigation
Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.74.
Source : NVD
## 7.7
Score
Published February 3, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Claude Code
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probab
Wiz
CVE-2026-33068 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-33068 [HIGH] CVE-2026-33068 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33068 :
Claude Code vulnerability analysis and mitigation
Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.
Source : NVD
## 7.7
Score
Published M
Wiz
CVE-2026-25722 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-25722 [HIGH] CVE-2026-25722 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25722 :
Claude Code vulnerability analysis and mitigation
Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypass write protection and create or modify files without user confirmation. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.57.
Source : NVD
## 7.7
Score
Published February 6, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Claude Code
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/
Wiz
CVE-2026-24052 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-24052 [HIGH] CVE-2026-24052 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24052 :
Claude Code vulnerability analysis and mitigation
Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111.
Source : NVD
## 7.1
Score
Published February 3, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Claude
Wiz
CVE-2026-25724 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-25724 [HIGH] CVE-2026-25724 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25724 :
Claude Code vulnerability analysis and mitigation
Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. This issue has been patched in version 2.1.7.
Source : NVD
## 2.3
Score
Published February 6, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
Claude Code
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exp
Wiz
CVE-2026-24887 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-24887 [HIGH] CVE-2026-24887 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24887 :
Claude Code vulnerability analysis and mitigation
Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.72.
Source : NVD
## 7.7
Score
Published February 3, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Claude Code
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@
Wiz
CVE-2026-21852 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-21852 [MEDIUM] CVE-2026-21852 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21852 :
Claude Code vulnerability analysis and mitigation
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest vers
Wiz
CVE-2026-25725 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-25725 [HIGH] CVE-2026-25725 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25725 :
Claude Code vulnerability analysis and mitigation
Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.
Source : NVD
## 7.7
Score
Published February 6, 2026
Severity HIGH
2026-03-20
Published