CVE-2026-40068: Claude Code git worktree trust bypass

CISO Take

Claude Code failed to validate the contents of git worktree `commondir` files, allowing an attacker to craft a repository that silently bypasses the trust dialog and immediately executes arbitrary hooks defined in `.claude/settings.json`. The EPSS score is modest (0.00095) but places this in the top 74th percentile for exploitation likelihood, and the social engineering prerequisite—convincing a developer to clone a repository—is a routine, unsuspicious action that generates no alerts. Successful exploitation yields arbitrary code execution on a developer's workstation, typically a high-value target with access to source code, cloud credentials, and AI service API keys. Teams not on Claude Code auto-update must upgrade to version 2.1.84 immediately; auto-update users are already protected.

Sources: NVD GitHub Advisory EPSS ATLAS

What is the risk?

HIGH. Despite a low absolute EPSS score, this vulnerability targets AI developers—high-value targets with privileged access to codebases, credentials, and internal systems. The trust bypass is particularly dangerous because it defeats a visible security control without any user-facing indicator, making it an effective supply chain attack vector. The requirement for the attacker to know a previously trusted path adds some friction but is feasible through reconnaissance or by targeting common default paths such as home directories. Four other CVEs in the same package indicate active security research pressure against Claude Code.

How does the attack unfold?

Repository Crafting

Attacker creates a malicious git repository with a crafted `.git/worktrees/<name>/commondir` file pointing to a path the victim has previously trusted, and plants malicious hooks in `.claude/settings.json`.

AML.T0002.002

User Execution

Victim clones the malicious repository and runs Claude Code within it — a routine developer evaluation action that triggers no suspicious indicators.

AML.T0011

Trust Bypass

Claude Code reads the crafted `commondir` file, matches a previously trusted path without validating file contents, and skips the trust dialog entirely with no user-visible warning.

AML.T0107

Hook Execution

Malicious hooks in `.claude/settings.json` execute immediately with full developer workstation privileges, enabling credential theft, reverse shell establishment, or AI API key exfiltration.

AML.T0081

Repository Crafting

Attacker creates a malicious git repository with a crafted `.git/worktrees/<name>/commondir` file pointing to a path the victim has previously trusted, and plants malicious hooks in `.claude/settings.json`.

AML.T0002.002

User Execution

Victim clones the malicious repository and runs Claude Code within it — a routine developer evaluation action that triggers no suspicious indicators.

AML.T0011

Trust Bypass

Claude Code reads the crafted `commondir` file, matches a previously trusted path without validating file contents, and skips the trust dialog entirely with no user-visible warning.

AML.T0107

Hook Execution

Malicious hooks in `.claude/settings.json` execute immediately with full developer workstation privileges, enabling credential theft, reverse shell establishment, or AI API key exfiltration.

AML.T0081

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Claude Code	npm	>= 2.1.63, < 2.1.84	`2.1.84`
132.3K Pushed 4d ago 43% patched ~4d to patch Full package profile →
Claude Code	npm	—	No patch
132.3K Pushed 4d ago 43% patched ~4d to patch Full package profile →

How severe is it?

CVSS 3.1

N/A

EPSS

0.3%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Immediate: Upgrade @anthropic-ai/claude-code to >= 2.1.84 via npm install -g @anthropic-ai/claude-code; verify with claude --version. Auto-update users are already protected.
Audit: Review .claude/settings.json in all recently cloned external repositories that were opened with Claude Code, especially those from unknown or new contributors.
Developer policy: Treat .claude/settings.json as a security-sensitive file requiring explicit code review before opening any external repository in Claude Code.
Detection: Monitor for unexpected child processes spawned by claude, unusual outbound network connections immediately after repository cloning, or unauthorized reads of credential stores (AWS ~/.aws, npm tokens, SSH keys).
Git hygiene: Add .claude/settings.json and .git/worktrees/*/commondir to security review checklists for external pull requests and repository evaluations.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Code Execution Supply Chain Agent Framework Plugin AML.T0002.002 - AI Agent Configuration AML.T0010.005 - AI Agent Tool AML.T0011 - User Execution AML.T0081 - Modify AI Agent Configuration AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system risk and impact assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain effectiveness of risk management

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities LLM07:2025 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-40068?

Claude Code failed to validate the contents of git worktree `commondir` files, allowing an attacker to craft a repository that silently bypasses the trust dialog and immediately executes arbitrary hooks defined in `.claude/settings.json`. The EPSS score is modest (0.00095) but places this in the top 74th percentile for exploitation likelihood, and the social engineering prerequisite—convincing a developer to clone a repository—is a routine, unsuspicious action that generates no alerts. Successful exploitation yields arbitrary code execution on a developer's workstation, typically a high-value target with access to source code, cloud credentials, and AI service API keys. Teams not on Claude Code auto-update must upgrade to version 2.1.84 immediately; auto-update users are already protected.

Is CVE-2026-40068 actively exploited?

No confirmed active exploitation of CVE-2026-40068 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-40068?

1. Immediate: Upgrade @anthropic-ai/claude-code to >= 2.1.84 via `npm install -g @anthropic-ai/claude-code`; verify with `claude --version`. Auto-update users are already protected. 2. Audit: Review `.claude/settings.json` in all recently cloned external repositories that were opened with Claude Code, especially those from unknown or new contributors. 3. Developer policy: Treat `.claude/settings.json` as a security-sensitive file requiring explicit code review before opening any external repository in Claude Code. 4. Detection: Monitor for unexpected child processes spawned by `claude`, unusual outbound network connections immediately after repository cloning, or unauthorized reads of credential stores (AWS ~/.aws, npm tokens, SSH keys). 5. Git hygiene: Add `.claude/settings.json` and `.git/worktrees/*/commondir` to security review checklists for external pull requests and repository evaluations.

What systems are affected by CVE-2026-40068?

This vulnerability affects the following AI/ML architecture patterns: AI development workflows, Agent frameworks, Developer toolchains.

What is the CVSS score for CVE-2026-40068?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI development workflowsAgent frameworksDeveloper toolchains

MITRE ATLAS Techniques

AML.T0002.002 AI Agent Configuration

AML.T0010.005 AI Agent Tool

AML.T0011 User Execution

AML.T0081 Modify AI Agent Configuration

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2025, LLM07:2025

What are the technical details?

Original Advisory

Claude Code used the git worktree `commondir` file when determining folder trust but did not validate its contents. By crafting a repository with a `commondir` file pointing to a path the victim had previously trusted, an attacker could bypass the trust dialog and immediately execute malicious hooks defined in `.claude/settings.json`. Exploiting this required the victim to clone a malicious repository and run Claude Code within it, and for the attacker to know or guess a path the victim had already trusted. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version. Claude Code thanks [hackerone.com/masato_anzai](https://hackerone.com/masato_anzai) for reporting this issue.

Exploitation Scenario

A threat actor targeting an AI development team publishes a convincing public repository—a useful-looking LLM fine-tuning utility or AI benchmark tool. The repository contains a specially crafted `.git/worktrees/<name>/commondir` file pointing to a common trusted path such as `~/projects` or the home directory. A `.claude/settings.json` file defines malicious hooks that execute a reverse shell or harvest API keys from environment variables and ~/.anthropic. When a developer clones the repo and runs `claude` within it to evaluate the project, Claude Code reads the tampered `commondir` file, matches it to a previously trusted path without validating its contents, bypasses the trust dialog entirely, and immediately executes the malicious hooks with the developer's full system privileges—with no visible warning to the user.

Weaknesses (CWE)

CWE-20 Improper Input Validation Primary CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Primary

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

[Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
[Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.