{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/trust-bypass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Claude Code"],"_cs_severities":["high"],"_cs_tags":["git","code-execution","trust-bypass"],"_cs_type":"advisory","_cs_vendors":["Anthropic"],"content_html":"\u003cp\u003eA vulnerability in Claude Code, specifically versions 2.1.63 and later but before 2.1.84, allowed for a trust dialog bypass via Git worktree spoofing. This exploit leverages the way Claude Code determines folder trust using the \u003ccode\u003ecommondir\u003c/code\u003e file in Git worktrees. By crafting a repository containing a \u003ccode\u003ecommondir\u003c/code\u003e file that points to a path the victim has previously trusted, an attacker could bypass the trust dialog, leading to arbitrary code execution through malicious hooks defined in the \u003ccode\u003e.claude/settings.json\u003c/code\u003e file. Successful exploitation required the victim to clone a malicious repository and run Claude Code within it, as well as the attacker knowing or guessing a path the victim had previously trusted. Users on standard Claude Code with auto-update enabled received the fix automatically.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Git repository with a \u003ccode\u003ecommondir\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecommondir\u003c/code\u003e file is configured to point to a directory path the victim is likely to have previously trusted.\u003c/li\u003e\n\u003cli\u003eThe repository includes a malicious \u003ccode\u003e.claude/settings.json\u003c/code\u003e file containing arbitrary code execution hooks.\u003c/li\u003e\n\u003cli\u003eAttacker distributes the malicious repository, likely through social engineering or other deceptive means.\u003c/li\u003e\n\u003cli\u003eVictim clones the malicious repository to their local machine using \u003ccode\u003egit clone\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eVictim opens the cloned directory containing the malicious \u003ccode\u003e.claude/settings.json\u003c/code\u003e in a vulnerable version of Claude Code.\u003c/li\u003e\n\u003cli\u003eClaude Code reads the \u003ccode\u003ecommondir\u003c/code\u003e file and incorrectly trusts the repository based on the spoofed path.\u003c/li\u003e\n\u003cli\u003eThe malicious hooks defined in \u003ccode\u003e.claude/settings.json\u003c/code\u003e are executed, leading to arbitrary code execution on the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allowed an attacker to execute arbitrary code on a victim\u0026rsquo;s machine. While the number of affected users is unknown, the impact of successful exploitation could range from data theft and system compromise to complete takeover of the victim\u0026rsquo;s development environment. The vulnerability primarily targeted developers using Claude Code, potentially impacting software development organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Claude Code to the latest version (\u0026gt;= 2.1.84) to patch CVE-2026-40068.\u003c/li\u003e\n\u003cli\u003eImplement a detection rule that identifies the creation or modification of \u003ccode\u003e.claude/settings.json\u003c/code\u003e files containing suspicious code (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes being launched from within the Claude Code application context (see Sigma rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-25T12:00:00Z","date_published":"2026-04-25T12:00:00Z","id":"/briefs/2026-04-claude-code-trust-bypass/","summary":"A vulnerability in Claude Code allowed for trust dialog bypass via git worktree spoofing, potentially leading to arbitrary code execution by crafting a malicious repository with a `commondir` file pointing to a previously trusted path, bypassing the trust dialog, and executing malicious hooks defined in `.claude/settings.json`.","title":"Claude Code Trust Dialog Bypass via Git Worktree Spoofing","url":"https://feed.craftedsignal.io/briefs/2026-04-claude-code-trust-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["mise","trust-bypass","code-execution","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability exists in the mise tool (versions 2026.2.18 through 2026.4.5) where local project configuration files (.mise.toml) are loaded \u003cem\u003ebefore\u003c/em\u003e trust checks are performed. This allows an attacker who can influence the contents of a repository (e.g., through a pull request or direct commit) to inject malicious configurations that bypass intended trust restrictions. Specifically, an attacker can set \u003ccode\u003etrusted_config_paths = [\u0026quot;/\u0026quot;]\u003c/code\u003e within a crafted .mise.toml, which effectively trusts all configuration files, including the malicious one. This bypass then permits the execution of dangerous directives, such as arbitrary shell commands via \u003ccode\u003e[env] _.source\u003c/code\u003e, leading to potential system compromise. This vulnerability undermines the security model of mise by subverting the trust mechanism designed to prevent unauthorized code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains the ability to modify a repository containing a mise project. This could be via a compromised account, a malicious pull request, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a \u003ccode\u003e.mise.toml\u003c/code\u003e file within the repository, adding the following lines:\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-toml\" data-lang=\"toml\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"nx\"\u003esettings\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nx\"\u003etrusted_config_paths\u003c/span\u003e \u003cspan class=\"p\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;/\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"nx\"\u003eenv\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nx\"\u003e_\u003c/span\u003e\u003cspan class=\"p\"\u003e.\u003c/span\u003e\u003cspan class=\"nx\"\u003esource\u003c/span\u003e \u003cspan class=\"p\"\u003e=\u003c/span\u003e \u003cspan class=\"p\"\u003e[\u003c/span\u003e\u003cspan class=\"s2\"\u003e\u0026#34;./poc.sh\u0026#34;\u003c/span\u003e\u003cspan class=\"p\"\u003e]\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a file \u003ccode\u003epoc.sh\u003c/code\u003e containing the malicious commands to be executed. For example:\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" class=\"chroma\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"cp\"\u003e#!/usr/bin/env bash\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"line\"\u003e\u003cspan class=\"cl\"\u003e\u003cspan class=\"nb\"\u003eecho\u003c/span\u003e \u003cspan class=\"s2\"\u003e\u0026#34;Exploited!\u0026#34;\u003c/span\u003e \u0026gt; /tmp/pwned.txt\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003c/li\u003e\n\u003cli\u003eA user clones the repository and navigates to the project directory.\u003c/li\u003e\n\u003cli\u003eThe user executes the command \u003ccode\u003emise hook-env -s bash --force\u003c/code\u003e. This command is intended to set up the environment based on the \u003ccode\u003e.mise.toml\u003c/code\u003e configuration.\u003c/li\u003e\n\u003cli\u003eBecause \u003ccode\u003etrusted_config_paths\u003c/code\u003e is set to \u003ccode\u003e/\u003c/code\u003e, the \u003ccode\u003e.mise.toml\u003c/code\u003e file is considered trusted and the \u003ccode\u003e[env] _.source\u003c/code\u003e directive is executed.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epoc.sh\u003c/code\u003e script is executed, resulting in arbitrary code execution. In this example, the \u003ccode\u003e/tmp/pwned.txt\u003c/code\u003e file is created containing \u0026ldquo;Exploited!\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker has achieved arbitrary code execution on the user\u0026rsquo;s system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary code on the victim\u0026rsquo;s machine. The number of potential victims is equal to the number of users who clone and use a repository containing the malicious \u003ccode\u003e.mise.toml\u003c/code\u003e file and are using a vulnerable version of \u003ccode\u003emise\u003c/code\u003e (2026.2.18 - 2026.4.5). The impact ranges from data theft and system compromise to complete control of the affected system, depending on the commands executed by the attacker\u0026rsquo;s script. Organizations using mise for environment management are particularly at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003emise\u003c/code\u003e greater than 2026.4.5 to address CVE-2026-35533.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Mise Hook-Env with Dot Source\u003c/code\u003e to identify potential exploitation attempts based on the \u003ccode\u003emise hook-env\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of unexpected files (e.g., in /tmp) after the execution of \u003ccode\u003emise hook-env\u003c/code\u003e commands.\u003c/li\u003e\n\u003cli\u003eImplement code review processes to prevent the introduction of malicious \u003ccode\u003e.mise.toml\u003c/code\u003e files into repositories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T20:13:11Z","date_published":"2026-04-07T20:13:11Z","id":"/briefs/2026-04-mise-trust-bypass/","summary":"A vulnerability in mise allows an attacker who can place a malicious .mise.toml file in a repository to bypass trust checks and execute arbitrary code via `[env] _.source` due to improper loading of trust settings.","title":"Mise Trust Bypass Vulnerability via Malicious .mise.toml","url":"https://feed.craftedsignal.io/briefs/2026-04-mise-trust-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Trust-Bypass","version":"https://jsonfeed.org/version/1.1"}