Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-40068 is a high severity vulnerability with a CVSS score of 8.8. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
Claude Code used the git worktree commondir file when determining folder trust but did not validate its contents. By crafting a repository with a commondir file pointing to a path the victim had previously trusted, an attacker could bypass the trust dialog and immediately execute malicious hooks defined in .claude/settings.json. Exploiting this required the victim to clone a malicious repository and run Claude Code within it, and for the attacker to know or guess a path the victim had already trusted.
Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.
Claude Code thanks hackerone.com/masato_anzai for reporting this issue.
| Vendor | Product |
|---|---|
| Anthropic | Claude Code |
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.