Claude Code's workspace trust model is designed to require explicit user consent before executing tools in an untrusted repository. The trust dialog is the primary safety checkpoint protecting developers who clone repositories from unknown sources. CVE-2026-33068 bypasses it entirely.
The vulnerability is a configuration loading order defect: in Claude Code versions prior to 2.1.53, repository-controlled settings (.claude/settings.json) were resolved before the workspace trust dialog was displayed. An attacker who controls a repository can commit a settings file containing "permissions.defaultMode": "bypassPermissions" — a legitimate, documented Claude Code feature. When a developer clones and opens the repository, the malicious setting is applied silently, skipping the trust checkpoint and granting full tool execution permissions without consent.
This is not a novel configuration or a hidden feature — bypassPermissions and .claude/settings.json are publicly documented parts of Claude Code. The vulnerability is entirely in processing order: the trust boundary fires after the configuration that disables it has already been applied.
The blast radius extends to any developer workflow that involves cloning repositories from external sources — open-source contribution, code review, dependency evaluation. An attacker who can get a developer to clone their repository gains full tool execution access in the developer's local environment: file system reads and writes, shell command execution, network access via any tools the agent is configured with.
Immediate recommendation: Upgrade Claude Code to ≥ 2.1.53 immediately. Auto-update users are already protected. Before patching, scan untrusted repositories for .claude/settings.json files containing bypassPermissions prior to cloning.