CVE-2026-40068
EPSS 0.13%Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution
Description
Claude Code used the git worktree `commondir` file when determining folder trust but did not validate its contents. By crafting a repository with a `commondir` file pointing to a path the victim had previously trusted, an attacker could bypass the trust dialog and immediately execute malicious hooks defined in `.claude/settings.json`. Exploiting this required the victim to clone a malicious repository and run Claude Code within it, and for the attacker to know or guess a path the victim had already trusted. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version. Claude Code thanks [hackerone.com/masato_anzai](https://hackerone.com/masato_anzai) for reporting this issue.
Affected packages (1)
- npm/@anthropic-ai/claude-code>= 2.1.63, < 2.1.84
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |