Anthropic's Claude Code had a workspace trust bypass (CVE-2026-33068). Not a prompt injection or AI attack. A configuration loading order bug. Fixed in 2.1.53.

*Anthropic's Claude Code Had a Workspace Trust Bypass Vulnerability*

In a recent advisory, Anthropic's own Claude Code CLI tool was found to have a security vulnerability in versions prior to 2.1.53. The issue was not an AI-specific attack, but rather a configuration loading order bug.

*CVE-2026-33068: Workspace Trust Dialog Bypass*

The vulnerability, identified as CVE-2026-33068 (CVSS 7.7 HIGH), is a workspace trust dialog bypass. A malicious repository could include a .claude/settings.json file with bypassPermissions entries that would be applied before the user was shown the trust confirmation dialog. This allowed an attacker to bypass the trust confirmation dialog and gain access to the workspace.

*Root Cause: Configuration Loading Order Defect*

The root cause of the issue is a configuration loading order defect, classified as CWE-807: Reliance on Untrusted Inputs in a Security Decision. This means that the configuration was being loaded from an untrusted source (the repository) before the user was presented with the trust confirmation dialog. This broke the trust boundary between the "untrusted repository" and "approved workspace".

*A Familiar Class of Bug*

This type of bug is not unique to AI tools. It is a familiar class of bug that has existed in IDEs, package managers, and build tools for years. The trust boundary between untrusted inputs and secure decision-making is a common challenge in software development, and it is not specific to AI tools.

*Fix and Advisory*

Anthropic has fixed the issue in version 2.1.53. The full advisory can be found at https://raxe.ai/labs/advisories/RAXE-2026-040. This advisory is a reminder that AI tools, like all software, are subject to the same security vulnerabilities as other software. It is not enough to simply focus on AI-specific attacks; we must also address the common security challenges that arise from flawed design and implementation.

The discussion around AI safety is often focused on novel AI-specific attack classes, such as prompt injection. However, this vulnerability illustrates that the security challenges of AI tools are not limited to these novel attack classes. By acknowledging and addressing the common security vulnerabilities that arise from flawed design and implementation, we can work towards creating more secure AI tools.