high advisory March 21, 2026

Claude Code Workspace Trust Dialog Bypass via Settings Loading Order (CVE-2026-33068)

A maliciously crafted `.claude/settings.json` file in a Claude Code repository (versions prior to 2.1.53) can bypass the workspace trust confirmation dialog by exploiting a configuration loading order defect, allowing for arbitrary code execution within a supposedly untrusted workspace.

CVE-2026-33068 affects Anthropic’s Claude Code CLI tool in versions prior to 2.1.53. The vulnerability stems from a configuration loading order defect where repository-level settings, specifically those defined in .claude/settings.json, are resolved before the workspace trust dialog is presented to the user. This allows a malicious repository to include a .claude/settings.json file containing bypassPermissions entries. These permissions are then applied before the user has the opportunity…

Detection coverage 2

Detect Claude Code Settings File Creation

low

Detects the creation of a .claude/settings.json file, which could be an indicator of malicious activity related to CVE-2026-33068.

sigma tactics: defense_evasion techniques: T1553.005 sources: file_event, windows|linux|macos

Detect Claude Code Executing with Bypassed Permissions

medium

Detects potential exploitation by monitoring for claude-code process execution where permissions appear to be bypassed, based on command line flags.

sigma tactics: defense_evasion, execution sources: process_creation, windows|linux|macos

Detection queries are kept inside the platform. Get full rules →