Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File
Description
Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/settings.json, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent. This issue has been patched in version 2.1.53.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@anthropic-ai/claude-codenpm | < 2.1.53 | 2.1.53 |
Affected products
1- Range: < 2.1.53
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-mmgp-wc2j-qcv7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33068ghsaADVISORY
- github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7ghsax_refsource_CONFIRMWEB
News mentions
1- 'TrustFall' Convention Exposes Claude Code Execution RiskDark Reading · May 7, 2026