CVE-2026-40068

HIGH

Claude Code arbitrary code execution via git worktree commondir trust dialog bypass

Title source: cna

Description

In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code to bypass its trust confirmation dialog and immediately execute hooks defined in `.claude/settings.json`. Exploitation requires the victim to clone the malicious repository and run Claude Code within it, and the attacker must know or guess a path the victim had already trusted. This issue has been fixed in version 2.1.84.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/anthropics/claude-code/security/advisories/GHSA-q5hj-mxqh-vv77

Scores

CVSS v3 8.8

EPSS 0.0028

EPSS Percentile 19.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20 CWE-77

Status published

Products (3)

anthropic/claude_code 2.1.63 - 2.1.84

anthropic-ai/claude-code 2.1.63 - 2.1.84npm

anthropics/claude-code >= 2.1.63, < 2.1.84

Published May 05, 2026

Tracked Since May 06, 2026