High severity8.8GHSA Advisory· Published May 5, 2026· Updated May 12, 2026

CVE-2026-40068

Description

In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code to bypass its trust confirmation dialog and immediately execute hooks defined in .claude/settings.json. Exploitation requires the victim to clone the malicious repository and run Claude Code within it, and the attacker must know or guess a path the victim had already trusted. This issue has been fixed in version 2.1.84.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@anthropic-ai/claude-codenpm	>= 2.1.63, < 2.1.84	2.1.84

Affected products

Anthropic/Claude CodeGHSA
Range: >= 2.1.63, < 2.1.84

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-q5hj-mxqh-vv77ghsaADVISORY
github.com/anthropics/claude-code/security/advisories/GHSA-q5hj-mxqh-vv77nvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-40068ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000