HIGH🇬🇧 English

CVE-2026-40068

CVSS 7.7v4.0pub. 2026-05-05upd. 2026-05-12

In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code to bypass its trust confirmation dialog and immediately execute hooks defined in `.claude/settings.json`. Exploitation requires the victim to clone the malicious repository and run Claude Code within it, and the attacker must know or guess a path the victim had already trusted. This issue has been fixed in version 2.1.84.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Anthropic Claude Code

    APP
    Anthropic
    2.1.63 – 2.1.84 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-55607HIGH7.7ten sam produkt

Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed cre...

CVE-2026-39861HIGH7.7ten sam produkt

Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxe...

CVE-2026-33068HIGH7.7ten sam produkt

Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings fil...

CVE-2026-25722HIGH7.7ten sam produkt

Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate direct...

CVE-2026-25725HIGH7.7ten sam produkt

Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism f...

CVE-2026-40068 — HIGH 7.7 | CVEbaza.pl