Trust-Bypass — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/trust-bypass/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 25 Apr 2026 12:00:00 +0000Claude Code Trust Dialog Bypass via Git Worktree Spoofinghttps://feed.craftedsignal.io/briefs/2026-04-claude-code-trust-bypass/Sat, 25 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-claude-code-trust-bypass/A vulnerability in Claude Code allowed for trust dialog bypass via git worktree spoofing, potentially leading to arbitrary code execution by crafting a malicious repository with a `commondir` file pointing to a previously trusted path, bypassing the trust dialog, and executing malicious hooks defined in `.claude/settings.json`.A vulnerability in Claude Code, specifically versions 2.1.63 and later but before 2.1.84, allowed for a trust dialog bypass via Git worktree spoofing. This exploit leverages the way Claude Code determines folder trust using the commondir file in Git worktrees. By crafting a repository containing a commondir file that points to a path the victim has previously trusted, an attacker could bypass the trust dialog, leading to arbitrary code execution through malicious hooks defined in the .claude/settings.json file. Successful exploitation required the victim to clone a malicious repository and run Claude Code within it, as well as the attacker knowing or guessing a path the victim had previously trusted. Users on standard Claude Code with auto-update enabled received the fix automatically.

Attack Chain

  1. Attacker crafts a malicious Git repository with a commondir file.
  2. The commondir file is configured to point to a directory path the victim is likely to have previously trusted.
  3. The repository includes a malicious .claude/settings.json file containing arbitrary code execution hooks.
  4. Attacker distributes the malicious repository, likely through social engineering or other deceptive means.
  5. Victim clones the malicious repository to their local machine using git clone.
  6. Victim opens the cloned directory containing the malicious .claude/settings.json in a vulnerable version of Claude Code.
  7. Claude Code reads the commondir file and incorrectly trusts the repository based on the spoofed path.
  8. The malicious hooks defined in .claude/settings.json are executed, leading to arbitrary code execution on the victim’s machine.

Impact

Successful exploitation of this vulnerability allowed an attacker to execute arbitrary code on a victim’s machine. While the number of affected users is unknown, the impact of successful exploitation could range from data theft and system compromise to complete takeover of the victim’s development environment. The vulnerability primarily targeted developers using Claude Code, potentially impacting software development organizations.

Recommendation

  • Upgrade Claude Code to the latest version (>= 2.1.84) to patch CVE-2026-40068.
  • Implement a detection rule that identifies the creation or modification of .claude/settings.json files containing suspicious code (see Sigma rule below).
  • Monitor process creation events for unusual processes being launched from within the Claude Code application context (see Sigma rule below).
]]>highadvisorygitcode-executiontrust-bypassMise Trust Bypass Vulnerability via Malicious .mise.tomlhttps://feed.craftedsignal.io/briefs/2026-04-mise-trust-bypass/Tue, 07 Apr 2026 20:13:11 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-mise-trust-bypass/A vulnerability in mise allows an attacker who can place a malicious .mise.toml file in a repository to bypass trust checks and execute arbitrary code via `[env] _.source` due to improper loading of trust settings.A critical vulnerability exists in the mise tool (versions 2026.2.18 through 2026.4.5) where local project configuration files (.mise.toml) are loaded before trust checks are performed. This allows an attacker who can influence the contents of a repository (e.g., through a pull request or direct commit) to inject malicious configurations that bypass intended trust restrictions. Specifically, an attacker can set trusted_config_paths = ["/"] within a crafted .mise.toml, which effectively trusts all configuration files, including the malicious one. This bypass then permits the execution of dangerous directives, such as arbitrary shell commands via [env] _.source, leading to potential system compromise. This vulnerability undermines the security model of mise by subverting the trust mechanism designed to prevent unauthorized code execution.

Attack Chain

  1. An attacker gains the ability to modify a repository containing a mise project. This could be via a compromised account, a malicious pull request, or other means.
  2. The attacker creates or modifies a .mise.toml file within the repository, adding the following lines: 
    [settings]
trusted_config_paths = ["/"]

[env]
_.source = ["./poc.sh"]
  3. The attacker creates or modifies a file poc.sh containing the malicious commands to be executed. For example: 
    #!/usr/bin/env bash
echo "Exploited!" > /tmp/pwned.txt
  4. A user clones the repository and navigates to the project directory.
  5. The user executes the command mise hook-env -s bash --force. This command is intended to set up the environment based on the .mise.toml configuration.
  6. Because trusted_config_paths is set to /, the .mise.toml file is considered trusted and the [env] _.source directive is executed.
  7. The poc.sh script is executed, resulting in arbitrary code execution. In this example, the /tmp/pwned.txt file is created containing “Exploited!”.
  8. The attacker has achieved arbitrary code execution on the user’s system.

Impact

Successful exploitation allows an attacker to execute arbitrary code on the victim’s machine. The number of potential victims is equal to the number of users who clone and use a repository containing the malicious .mise.toml file and are using a vulnerable version of mise (2026.2.18 - 2026.4.5). The impact ranges from data theft and system compromise to complete control of the affected system, depending on the commands executed by the attacker’s script. Organizations using mise for environment management are particularly at risk.

Recommendation

  • Upgrade to a patched version of mise greater than 2026.4.5 to address CVE-2026-35533.
  • Deploy the Sigma rule Detect Mise Hook-Env with Dot Source to identify potential exploitation attempts based on the mise hook-env command.
  • Monitor for the creation of unexpected files (e.g., in /tmp) after the execution of mise hook-env commands.
  • Implement code review processes to prevent the introduction of malicious .mise.toml files into repositories.
]]>highadvisorymisetrust-bypasscode-executionvulnerability