Claude Code Security Advisory: CVE-2026-33068 Workspace Trust Bypass

Security Vulnerability in Claude Code
A security advisory has been issued for Claude Code users regarding CVE-2026-33068, a vulnerability with CVSS score 7.7 (HIGH). The issue affects Claude Code versions prior to 2.1.53.
Technical Details
The vulnerability allows malicious repositories to bypass the workspace trust confirmation dialog. Claude Code includes a legitimate feature called bypassPermissions in .claude/settings.json that lets users pre-approve specific operations in trusted workspaces.
The bug was in the order of operations: settings from the repository's .claude/settings.json were loaded before the workspace trust dialog was shown to the user. This means a cloned repository could include a settings file that grants itself elevated permissions before the user has a chance to review it.
Important nuance: bypassPermissions is a documented, intentional feature. The vulnerability is not in the feature itself but in the loading sequence.
What Users Should Do
- Run
claude --versionto confirm you are on 2.1.53 or later - Before opening any unfamiliar repository with Claude Code, check whether it contains a
.claude/settings.jsonfile and review its contents - If you have been working with repositories from untrusted sources on earlier versions, consider whether any unexpected operations were performed
Fix
Anthropic fixed this vulnerability in version 2.1.53 by reordering the loading sequence. The full advisory with technical details is available at https://raxe.ai/labs/advisories/RAXE-2026-040.
📖 Read the full source: r/ClaudeAI
👀 See Also

Cloak tool replaces chat passwords with self-destructing links for OpenClaw agents
Cloak is an open source tool that replaces passwords shared in chat with OpenClaw agents with self-destructing links. Each link can only be opened once, then the password disappears, preventing passwords from accumulating in chat histories.

OpenClaw's 'Allow Always' Feature Security Flaws and Safer Alternatives
OpenClaw's 'allow always' approval feature has been the subject of two CVEs this month, allowing unauthorized command execution through wrapper command binding and shell line-continuation bypasses. The deeper issue is how the feature trains users to stop paying attention to security prompts.

FORGE: Open Source AI Security Testing Framework for LLM Systems
FORGE is an autonomous AI security testing framework that builds its own tools mid-run, self-replicates into a swarm, and covers OWASP LLM Top 10 vulnerabilities including prompt injection, jailbreak fuzzing, and RAG leakage.

Analysis of Claude Code's Instrumentation and Telemetry Capabilities
A source code analysis reveals Claude Code implements extensive behavior tracking including keyword-based sentiment classification, permission prompt hesitation monitoring, and detailed environment fingerprinting.