{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/anthropic/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Claude Code"],"_cs_severities":["high"],"_cs_tags":["git","code-execution","trust-bypass"],"_cs_type":"advisory","_cs_vendors":["Anthropic"],"content_html":"\u003cp\u003eA vulnerability in Claude Code, specifically versions 2.1.63 and later but before 2.1.84, allowed for a trust dialog bypass via Git worktree spoofing. This exploit leverages the way Claude Code determines folder trust using the \u003ccode\u003ecommondir\u003c/code\u003e file in Git worktrees. By crafting a repository containing a \u003ccode\u003ecommondir\u003c/code\u003e file that points to a path the victim has previously trusted, an attacker could bypass the trust dialog, leading to arbitrary code execution through malicious hooks defined in the \u003ccode\u003e.claude/settings.json\u003c/code\u003e file. Successful exploitation required the victim to clone a malicious repository and run Claude Code within it, as well as the attacker knowing or guessing a path the victim had previously trusted. Users on standard Claude Code with auto-update enabled received the fix automatically.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Git repository with a \u003ccode\u003ecommondir\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecommondir\u003c/code\u003e file is configured to point to a directory path the victim is likely to have previously trusted.\u003c/li\u003e\n\u003cli\u003eThe repository includes a malicious \u003ccode\u003e.claude/settings.json\u003c/code\u003e file containing arbitrary code execution hooks.\u003c/li\u003e\n\u003cli\u003eAttacker distributes the malicious repository, likely through social engineering or other deceptive means.\u003c/li\u003e\n\u003cli\u003eVictim clones the malicious repository to their local machine using \u003ccode\u003egit clone\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eVictim opens the cloned directory containing the malicious \u003ccode\u003e.claude/settings.json\u003c/code\u003e in a vulnerable version of Claude Code.\u003c/li\u003e\n\u003cli\u003eClaude Code reads the \u003ccode\u003ecommondir\u003c/code\u003e file and incorrectly trusts the repository based on the spoofed path.\u003c/li\u003e\n\u003cli\u003eThe malicious hooks defined in \u003ccode\u003e.claude/settings.json\u003c/code\u003e are executed, leading to arbitrary code execution on the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allowed an attacker to execute arbitrary code on a victim\u0026rsquo;s machine. While the number of affected users is unknown, the impact of successful exploitation could range from data theft and system compromise to complete takeover of the victim\u0026rsquo;s development environment. The vulnerability primarily targeted developers using Claude Code, potentially impacting software development organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Claude Code to the latest version (\u0026gt;= 2.1.84) to patch CVE-2026-40068.\u003c/li\u003e\n\u003cli\u003eImplement a detection rule that identifies the creation or modification of \u003ccode\u003e.claude/settings.json\u003c/code\u003e files containing suspicious code (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes being launched from within the Claude Code application context (see Sigma rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-25T12:00:00Z","date_published":"2026-04-25T12:00:00Z","id":"/briefs/2026-04-claude-code-trust-bypass/","summary":"A vulnerability in Claude Code allowed for trust dialog bypass via git worktree spoofing, potentially leading to arbitrary code execution by crafting a malicious repository with a `commondir` file pointing to a previously trusted path, bypassing the trust dialog, and executing malicious hooks defined in `.claude/settings.json`.","title":"Claude Code Trust Dialog Bypass via Git Worktree Spoofing","url":"https://feed.craftedsignal.io/briefs/2026-04-claude-code-trust-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Anthropic","version":"https://jsonfeed.org/version/1.1"}