Cyber Resilience

CVE-2026-33068

High

Published: 20 March 2026

Published
20 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33068 is a high-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Anthropic Claude Code. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33068 is a vulnerability in Claude Code, an agentic coding tool from Anthropic, affecting versions prior to 2.1.53. The issue arises because the tool resolves the permission mode from settings files, including the repository-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository can commit a .claude/settings.json file setting permissions.defaultMode to bypassPermissions, which causes the trust dialog to be silently skipped upon first opening the repository. This flaw is classified under CWE-807 (Reliance on Untrusted Inputs in a Security Decision) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Attackers who control a repository can exploit this vulnerability by embedding the malicious settings file in their code. Victims, such as developers who clone or open the attacker-controlled repository in Claude Code, would unknowingly enter permissive mode without the trust confirmation prompt. This enables the repository to gain tool execution privileges without explicit user consent, potentially allowing arbitrary code execution or other malicious actions within the tool's environment.

The vulnerability has been patched in Claude Code version 2.1.53. Additional details on the fix and affected versions are available in the GitHub security advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions…

more

in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The vulnerability exploits a flaw in the client-side Claude Code tool, allowing malicious repository settings to bypass the workspace trust dialog and enable arbitrary code execution without user consent.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59041Same product: Anthropic Claude Code
CVE-2025-65099Same product: Anthropic Claude Code
CVE-2026-39861Same product: Anthropic Claude Code
CVE-2026-24887Same product: Anthropic Claude Code
CVE-2025-58764Same product: Anthropic Claude Code
CVE-2026-40068Same product: Anthropic Claude Code
CVE-2026-24052Same product: Anthropic Claude Code
CVE-2025-64755Same product: Anthropic Claude Code
CVE-2026-25725Same product: Anthropic Claude Code
CVE-2026-25724Same product: Anthropic Claude Code

Affected Assets

anthropic
claude code
≤ 2.1.53

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of untrusted inputs from repository-controlled .claude/settings.json to prevent malicious permissions.defaultMode from bypassing the workspace trust confirmation dialog.

prevent

Ensures access control decisions, such as displaying the trust dialog before permissive mode, are not subverted by untrusted inputs from malicious repository settings files.

prevent

Enforces least privilege by requiring explicit user consent through the trust dialog, limiting damage from unauthorized permissive tool execution even if settings are manipulated.

References