{"data":{"id":"bb6c0ba5-923d-4ef1-8aec-093eadc5e77a","title":"GHSA-q5hj-mxqh-vv77: Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution","summary":"Claude Code had a security flaw where it checked a git worktree (a Git feature allowing multiple branch checkouts in separate directories) `commondir` file to decide if a folder was trustworthy, but didn't verify the file's contents. An attacker could create a malicious repository with a fake `commondir` file pointing to a folder the victim had previously trusted, tricking Claude Code into skipping its safety dialog and running malicious code from `.claude/settings.json` (a configuration file). This attack required the victim to clone the malicious repository and open it in Claude Code, and the attacker had to know a path the victim had already marked as safe.","solution":"Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-q5hj-mxqh-vv77","publishedAt":"2026-04-24T16:34:03.000Z","cveId":"CVE-2026-40068","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["@anthropic-ai/claude-code@>= 2.1.63, < 2.1.84 (fixed: 2.1.84)"],"affectedVendors":["Anthropic"],"affectedVendorsRaw":["Claude Code","Anthropic"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-24T16:34:03.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"plugin","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0010"]}}