1. Executive Summary A high-severity configuration loading order defect ( CVE-2026-33068 , CVSS v4.0 7.7 HIGH) in Anthropic's Claude Code CLI tool allows a malicious repository to bypass the workspace trust confirmation dialog. Exploitation requires that a developer clone and open a repository controlled by the attacker ; this is a prerequisite social engineering step. The attack leverages a .claude/settings.json file committed to the repository that sets permissions.defaultMode to bypassPermissions . Both the settings file and the bypassPermissions mode are legitimate, documented features of Claude Code (Anthropic, "Claude Code settings," https://code.claude.com/docs/en/settings). The vulnerability is not in the settings themselves but in the processing order : vulnerable versions of Claude Code (prior to 2.1.53 ) resolved repository-controlled settings before displaying the workspace trust dialog, silently skipping the security checkpoint and granting tool execution permissions without user consent ( GHSA-mmgp-wc2j-qcv7 ). This vulnerability is classified as CWE-807 : "Reliance on Untrusted Inputs in a Security Decision" ( GHSA-mmgp-wc2j-qcv7 ). It demonstrates a systemic risk pattern in agentic coding tools where legitimate configuration features can become attack vectors when applied at the wrong stage of the trust chain. The CVSS v4.0 score of 7.7 is sourced from the vendor advisory ( GHSA-mmgp-wc2j-qcv7 ); NVD has not yet ingested this CVE and no independent CVSS v3.1 score is available as of 2026-03-20. Organisations using Claude Code should verify all developer installations are updated to version 2.1.53 or later, which corrects the configuration loading order. For pre-patch supply chain hygiene, scanning untrusted repositories for .claude/settings.json files containing bypassPermissions before cloning can identify potential attack payloads; however, this string is not inherently malicious and may appear in legitimate project configurations (see Section 7.3 for context). 2. Risk Rating Dimension Rating Detail Severity HIGH CVSS v4.0 7.7 ( GHSA-mmgp-wc2j-qcv7 ). NVD has not yet ingested CVE-2026-33068 ; no independent v3.1 score is available Urgency Moderate Patch available ( 2.1.53 ); auto-update users already protected; no known active exploitation (RAXE assessment) Scope Local system Impact contained to the vulnerable host (SC:N/SI:N/SA:N per GHSA-mmgp-wc2j-qcv7 ). Lateral movement via compromised credentials is plausible but not direct (RAXE assessment) Confidence High ( 85% ) Vendor-confirmed via GHSA with patch released. Single-source (no NVD independent analysis) reduces confidence from 90% + (RAXE assessment) Business Impact High for organisations deploying Claude Code Trust bypass grants unauthenticated tool execution, risking code integrity, credential exposure, and supply chain compromise (RAXE assessment based on GHSA impact ratings) CVSS Assessment Metric Value Source CVSS v4.0 Base Score 7.7 (HIGH) GHSA-mmgp-wc2j-qcv7 CVSS v4.0 Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N GHSA-mmgp-wc2j-qcv7 NVD CVSS v3.1 Score Not available; NVD has not ingested CVE-2026-33068 (totalResults: 0 as of 2026-03-20) NVD API EPSS Score Not available; no data returned from FIRST.org EPSS API as of 2026-03-20 FIRST.org EPSS API CVSS v4.0 Vector Decomposition Metric Value Interpretation Attack Vector (AV) Network Exploitable over the network via repository distribution Attack Complexity (AC) Low No special conditions required beyond delivering the payload Attack Requirements (AT) Present Attacker must arrange for the target to clone the malicious repository Privileges Required (PR) None No authentication or privileges needed to craft the payload User Interaction (UI) Passive User need only open the repository in Claude Code Confidentiality (VC) High Read access to local files, environment variables, and credentials Integrity (VI) High Ability to modify local files, execute commands, alter project state Availability (VA) High Destructive actions possible within the developer's environment Subsequent Confidentiality (SC) None No direct impact on adjacent systems Subsequent Integrity (SI) None No direct impact on adjacent systems Subsequent Availability (SA) None No direct impact on adjacent systems NVD status note: CVE-2026-33068 has not been ingested by NVD as of 2026-03-20. The NVD API returned totalResults: 0 with an empty vulnerabilities array (NVD API, queried 2026-03-20). The CVSS score of 7.7 is sourced exclusively from the vendor's GitHub Security Advisory. This assessment will require updating when NVD publishes its own analysis, which may include a CVSS v3.1 score that differs from the v4.0 score. EPSS note: No Exploit Prediction Scoring System data is available for CVE-2026-33068 as of 2026-03-20. The FIRST.org EPSS API returned an empty data array (FIRST.org EPSS API, queried 2026-03-20). This is expected for newly published CVEs. 3. Affected Products Product Registry Affecte...