CVE-2026-33068

Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.

Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.

Claude Code resolved the permission mode from settings files, including the repo-controlled `.claude/settings.json`, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set `permissions.defaultMode` to `bypassPermissions` in its committed `.claude/settings.json`, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version. Thank you to hackerone.com/cantina_xyz for reporting this issue.

Claude Code resolved the permission mode from settings files, including the repo-controlled `.claude/settings.json`, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set `permissions.defaultMode` to `bypassPermissions` in its committed `.claude/settings.json`, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version. Thank you to hackerone.com/cantina_xyz for reporting this issue.

Claude Code es una herramienta de codificación agéntica. Las versiones anteriores a la 2.1.53 resolvían el modo de permiso a partir de archivos de configuración, incluyendo el .claude/settings.json controlado por el repositorio, antes de determinar si mostrar el diálogo de confirmación de confianza del espacio de trabajo. Un repositorio malicioso podría establecer permissions.defaultMode a bypassPermissions en su .claude/settings.json confirmado, causando que el diálogo de confianza se omitiera silenciosamente en la primera apertura. Esto permitía que un usuario fuera colocado en un modo permisivo sin ver la solicitud de confirmación de confianza, facilitando que un repositorio controlado por un atacante obtuviera la ejecución de la herramienta sin el consentimiento explícito del usuario. Este problema ha sido parcheado en la versión 2.1.53.