CVE-2026-40068
Received Received - Intake
Trust Bypass via Malicious Git Worktree Commondir in Claude Code

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: GitHub, Inc.

Description
In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code to bypass its trust confirmation dialog and immediately execute hooks defined in `.claude/settings.json`. Exploitation requires the victim to clone the malicious repository and run Claude Code within it, and the attacker must know or guess a path the victim had already trusted. This issue has been fixed in version 2.1.84.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-40068
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
claude_code claude_code From 2.1.63 (inc) to 2.1.83 (inc)
claude_code claude_code 2.1.84
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Claude Code to version 2.1.84 or later, where the issue has been fixed.

Avoid cloning and running Claude Code within repositories from untrusted sources, especially if the attacker might know or guess paths you have previously trusted.


Can you explain this vulnerability to me?

This vulnerability exists in versions 2.1.63 through 2.1.83 of Claude Code. It involves the folder trust determination logic, which uses the git worktree commondir file without validating its contents. An attacker can create a malicious repository with a commondir file that points to a path the victim has previously trusted. This causes Claude Code to bypass its trust confirmation dialog and immediately execute hooks defined in the .claude/settings.json file.

To exploit this vulnerability, the victim must clone the malicious repository and run Claude Code within it, and the attacker must know or guess a path the victim had already trusted. The issue was fixed in version 2.1.84.


How can this vulnerability impact me? :

This vulnerability can lead to the unintended execution of malicious hooks in Claude Code without the user's confirmation. Since the trust confirmation dialog is bypassed, an attacker can execute arbitrary code defined in the .claude/settings.json file, potentially compromising the victim's system or data.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart