CVE-2026-33068

Name of the Vulnerable Software and Affected Versions Claude Code versions prior to 2.1.53

Description Claude Code is an agentic coding tool that experienced a loading order issue in its settings loader. The software resolved the permission mode from settings files, such as the repository-controlled .claude/settings.json, before determining if the workspace trust confirmation dialog should be displayed. A malicious repository could set the permissions.defaultMode variable to bypassPermissions within its committed .claude/settings.json file, causing the trust dialog to be silently skipped upon the first time the repository is opened. This allows a user to be placed into a permissive mode without explicit consent, potentially enabling an attacker-controlled repository to achieve tool execution, file system access, and command execution.

Recommendations Update to version 2.1.53 or later. As a temporary mitigation, review the .claude/settings.json file in unfamiliar repositories to ensure the permissions.defaultMode variable is not set to bypassPermissions before opening them.