CVE-2026-40068

Claude Code arbitrary code execution via git worktree commondir trust dialog bypass

Assigner: GitHub_M
Reserved: 09.04.2026 Published: 05.05.2026 Updated: 05.05.2026

In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code to bypass its trust confirmation dialog and immediately execute hooks defined in .claude/settings.json. Exploitation requires the victim to clone the malicious repository and run Claude Code within it, and the attacker must know or guess a path the victim had already trusted. This issue has been fixed in version 2.1.84.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	anthropics
Product	claude-code
Versions	Version >= 2.1.63, < 2.1.84 is affected

Vendor

anthropics

Product

claude-code

Versions

Version >= 2.1.63, < 2.1.84 is affected

References

Problem Types

CWE-20: Improper Input Validation CWE
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE

CVE-2026-40068 PUBLISHED

Claude Code arbitrary code execution via git worktree commondir trust dialog bypass

Metrics

Product Status

References

Problem Types