CVE-2026-40068 — HIGH AI Security Vulnerability

Q: What is CVE-2026-40068?

Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution

Q: Is CVE-2026-40068 actively exploited?

No confirmed active exploitation of CVE-2026-40068 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-40068?

Update to patched version: @anthropic-ai/claude-code 2.1.84.

Q: What is the CVSS score for CVE-2026-40068?

No CVSS score has been assigned yet.

Claude Code used the git worktree `commondir` file when determining folder trust but did not validate its contents. By crafting a repository with a `commondir` file pointing to a path the victim had previously trusted, an attacker could bypass the trust dialog and immediately execute malicious...

Full CISO analysis pending enrichment.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
@anthropic-ai/claude-code	npm	>= 2.1.63, < 2.1.84	`2.1.84`
115.6K Pushed 6d ago 60% patched ~0d to patch Full package profile →

Do you use @anthropic-ai/claude-code? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

N/A

Recommended Action

Patch available

Update @anthropic-ai/claude-code to version 2.1.84

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-40068?

Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution

Is CVE-2026-40068 actively exploited?

No confirmed active exploitation of CVE-2026-40068 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-40068?

Update to patched version: @anthropic-ai/claude-code 2.1.84.

What is the CVSS score for CVE-2026-40068?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Claude Code used the git worktree `commondir` file when determining folder trust but did not validate its contents. By crafting a repository with a `commondir` file pointing to a path the victim had previously trusted, an attacker could bypass the trust dialog and immediately execute malicious hooks defined in `.claude/settings.json`. Exploiting this required the victim to clone a malicious repository and run Claude Code within it, and for the attacker to know or guess a path the victim had already trusted. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version. Claude Code thanks [hackerone.com/masato_anzai](https://hackerone.com/masato_anzai) for reporting this issue.