Critical Vulnerability in Anthropic's Claude Code CLI Allows Workspace Trust Bypass
Key Takeaways
- ▸Claude Code versions prior to 2.1.53 are vulnerable to workspace trust dialog bypass through malicious .claude/settings.json configuration files
- ▸The vulnerability exploits the loading order of configuration files, allowing security checkpoints to be skipped before user permissions are granted
- ▸Attack requires social engineering to convince developers to clone a malicious repository, but then proceeds without further user interaction
Summary
A high-severity configuration loading order vulnerability (CVE-2026-33068, CVSS 7.7) has been discovered in Anthropic's Claude Code CLI tool affecting versions prior to 2.1.53. The flaw allows malicious repositories to bypass the workspace trust confirmation dialog by exploiting the order in which configuration files are processed. An attacker can craft a repository containing a .claude/settings.json file with the bypassPermissions mode set, which gets applied before the security checkpoint is displayed, silently granting tool execution permissions without user consent.
The vulnerability is classified as CWE-807 (Reliance on Untrusted Inputs in a Security Decision) and represents a systemic risk pattern in agentic coding tools where legitimate configuration features can become attack vectors when applied at the wrong processing stage. Exploitation requires social engineering—convincing a developer to clone and open a malicious repository—but once that occurs, the attack bypasses Claude Code's primary security boundary without further user interaction.
Anthropmic has released version 2.1.53, which corrects the configuration loading order and prevents the bypass. Organizations are advised to verify all developer installations are updated to this version or later. While legitimate projects may contain .claude/settings.json files with bypassPermissions, scanning untrusted repositories for this pattern before cloning can help identify potential attack payloads in pre-patch environments.
- Anthropic has patched the issue in version 2.1.53; developers should verify installations are updated and enable auto-updates
- The flaw demonstrates how legitimate configuration features in agentic tools can become security risks if applied at the wrong stage of the trust chain
Editorial Opinion
This vulnerability underscores a critical design principle for agentic coding tools: security checkpoints must be immutable and evaluated before any untrusted input—including configuration files—can influence their outcome. While Anthropic's legitimate configuration features are well-designed, their placement in the processing pipeline created a dangerous race condition. Organizations deploying agentic development tools should audit their security boundaries similarly, ensuring that trust decisions are finalized before any repository-controlled inputs take effect.
