Vulnerability Details CVE-2026-40068
In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code to bypass its trust confirmation dialog and immediately execute hooks defined in `.claude/settings.json`. Exploitation requires the victim to clone the malicious repository and run Claude Code within it, and the attacker must know or guess a path the victim had already trusted. This issue has been fixed in version 2.1.84.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 33.2%
CVSS Severity
CVSS v3 Score 8.8
Products affected by CVE-2026-40068
-
cpe:2.3:a:anthropic:claude_code:2.1.63
-
cpe:2.3:a:anthropic:claude_code:2.1.64
-
cpe:2.3:a:anthropic:claude_code:2.1.66
-
cpe:2.3:a:anthropic:claude_code:2.1.68
-
cpe:2.3:a:anthropic:claude_code:2.1.69
-
cpe:2.3:a:anthropic:claude_code:2.1.70
-
cpe:2.3:a:anthropic:claude_code:2.1.71
-
cpe:2.3:a:anthropic:claude_code:2.1.72
-
cpe:2.3:a:anthropic:claude_code:2.1.73
-
cpe:2.3:a:anthropic:claude_code:2.1.74
-
cpe:2.3:a:anthropic:claude_code:2.1.75
-
cpe:2.3:a:anthropic:claude_code:2.1.76
-
cpe:2.3:a:anthropic:claude_code:2.1.77
-
cpe:2.3:a:anthropic:claude_code:2.1.78
-
cpe:2.3:a:anthropic:claude_code:2.1.79
-
cpe:2.3:a:anthropic:claude_code:2.1.80
-
cpe:2.3:a:anthropic:claude_code:2.1.81
-
cpe:2.3:a:anthropic:claude_code:2.1.83