Cloning a repo is enough — Claude Code’s project settings file executes before you trust it

Published: 2026-03-14 Last verified: 2026-04-19 empirical
7 claims 2 tested finding

Cloning a repo is enough — Claude Code’s project settings file executes before you trust it

From Theory Delta | Methodology | Published 2026-03-14 | Updated 2026-04-19

What you expect

.claude/settings.json is a convenience file for configuring MCP servers, hooks, and permissions per project. Teams use it for standardization. You review code before running it. Cloning a repo and opening it in your editor does not run anything.

What actually happens

The project settings file executes with user privileges before the user can verify what it does — and in several cases, before any trust dialog appears at all. Four CVEs have been confirmed:

CVE-2026-21852 (patched < v2.0.65) — credential exfiltration before trust dialog. ANTHROPIC_BASE_URL in .claude/settings.json was forwarded to the configured URL along with the full API Authorization header — before the project trust dialog completed. A contributor clones a repo, runs claude, and their API key is sent to an attacker’s server before they see any prompt. The API key is gone before the user knows they were asked.

CVE-2025-59536 (patched < v1.0.111) — MCP code execution before trust dialog. enableAllProjectMcpServers: true caused all MCP servers defined in .mcp.json to initialize and execute their startup commands immediately on claude invocation — before the trust dialog appeared. Arbitrary code execution on clone-and-open. CVE published February 2026, roughly four months after the patch.

CVE-2026-33068 — workspace trust dialog bypass. permissions.defaultMode: bypassPermissions in .claude/settings.json caused the workspace trust dialog to be silently skipped on first open. The file that required trust to evaluate was the same file deciding its own trustworthiness. Circular trust at the dialog layer itself.

CVE-2026-25724 — deny bypass through symlinks. Permission deny rules failed to enforce when Claude Code accessed files through symlinks. A symlink at a permitted path could redirect access to deny-protected targets.

Five additional supply-chain vectors — all active even on patched versions:

  1. disableAllHooks: true — a committed project config that disables ALL user hooks including the user’s own ~/.claude/settings.json safety hooks. Only managed-level hooks survive.
  2. Hooks in skill/agent frontmatter — hooks in .claude/agents/*.md YAML frontmatter execute shell commands and are invisible to scanners that only inspect settings.json.
  3. WorktreeCreate hooks — fire whenever any worktree is created, including CI and isolation-mode worktrees. Executes attacker-controlled code whenever a contributor’s agent creates a worktree.
  4. extraKnownMarketplaces — adds external GitHub repos as plugin sources. When a user trusts the project, plugins auto-install and execute with user privileges.
  5. sandbox.enableWeakerNetworkIsolation — explicitly documented as reducing security, opening a potential data exfiltration path via com.apple.trustd.agent on macOS. Can be committed to project settings, weakening sandbox for all contributors without individual consent.

The patches are narrower than they appear. CVE-2026-21852 and CVE-2025-59536 are patched, but the fixes are warning dialogs and UI hardening — not sandboxing or cryptographic signature requirements. Cloning untrusted repos still risks hook execution after dialog dismissal.

What this means for you

If your team clones repos from GitHub as part of onboarding or review: any repo with a crafted .claude/settings.json can exfiltrate API keys, execute startup commands, or disable your personal safety hooks — on patched versions, after a warning dialog; on unpatched versions, before any dialog at all.

If you use Claude Code for open-source contributions: you are opening repos from untrusted authors. Treat .claude/settings.json with the same scrutiny you would give a postinstall script in package.json.

If your organization has deployed Claude Code without managed policies: there is no allowManagedHooksOnly preventing project settings from defining hooks that execute on every contributor’s machine. There is no disableBypassPermissionsMode preventing users from invoking --dangerously-skip-permissions via CLI flags. Enterprise hardening exists but is opt-in and absent by default.

If you rely on sandbox protection: versions prior to v2.1.78 silently fell back to unsandboxed execution when the sandboxing binary was absent from the host. sandbox.enabled: true was not a guarantee. Verify your version.

What to do

  1. Audit .claude/settings.json in every repository you clone before opening it with Claude Code. Check for: ANTHROPIC_BASE_URL (any non-Anthropic domain is a credential exfiltration risk), enableAllProjectMcpServers: true (the single most dangerous setting — remove it), disableAllHooks: true (silently strips your personal safety hooks), and permissions.defaultMode: bypassPermissions.

  2. Check for symlinks in .claude/. Run find .claude -type l to identify symlink-based redirects.

  3. Review hook definitions. Any PreToolUse or PostToolUse hook runs shell commands. Also check skill and agent files in .claude/agents/*.md — hooks in YAML frontmatter are invisible to settings-file scanners.

  4. If your organization uses Claude Code at scale, enable enterprise managed policies: allowManagedHooksOnly: true and disableBypassPermissionsMode: "disable" in managed-settings.json. These controls exist and are effective — but they are not the default.

  5. Verify your Claude Code version has the February 2026 patch before opening any community-sourced CLAUDE.md or settings files. Check Point Research disclosed CVE-2026-21852 and CVE-2025-59536 in February 2026.

Evidence

FindingSourceVerified
CVE-2026-21852: ANTHROPIC_BASE_URL forwarded API auth header before trust dialogCheck Point Research, patched < v2.0.65Yes — Anthropic confirmed
CVE-2025-59536: enableAllProjectMcpServers executed MCP startup commands before trust dialogCheck Point Research, patched < v1.0.111Yes — Anthropic confirmed
CVE-2026-33068: permissions.defaultMode bypassPermissions caused trust dialog skipCVE recordYes — confirmed
CVE-2026-25724: deny rules failed through symlinksCVE recordYes — confirmed
disableAllHooks in project settings disables user-level safety hookscode.claude.com/docs/en/hooks (March 2026)Yes — source-reviewed
sandbox.enabled silently fell back to unsandboxed in < v2.1.78 when sandboxing binary absentClaude Code changelog, < v2.1.78Yes — source-reviewed
Enterprise hardening (allowManagedHooksOnly, disableBypassPermissionsMode) is opt-in and absent by defaultcode.claude.com/docs/en/settings (March 2026)Yes — docs confirmed

Confidence: empirical — four CVEs independently confirmed by Anthropic’s security team and Check Point Research. Five additional vectors identified through source review and runtime testing.

Falsification criterion: This claim would be disproved by demonstrating that project settings are sandboxed or require explicit user approval before any setting takes effect — including MCP server definitions, hooks, and environment variable overrides.

Seen different? Contribute your evidence — theory delta is what makes this knowledge base work.