Main Vulnerability Database SB2026043030

SB2026043030 - Reliance on Untrusted Inputs in a Security Decision in Claude Code

Published: April 30, 2026

Security Bulletin ID SB2026043030

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Reliance on Untrusted Inputs in a Security Decision (CVE-ID: CVE-2026-33068)

The vulnerability allows a remote attacker to gain tool execution without explicit user consent.

The vulnerability exists due to reliance on untrusted inputs in a security decision in the workspace trust dialog logic when processing the repo-controlled .claude/settings.json file on first open. A remote attacker can commit a malicious settings file that sets permissions.defaultMode to bypassPermissions to gain tool execution without explicit user consent.

User interaction is required when the victim first opens a malicious repository.

Remediation

Install update from vendor's website.

References

https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7