Back to Blog

Cantina Case Study: How Apex Found a Silent Privilege Escalation in Anthropic's Claude Code

Cantina Case Study: How Apex Found a Silent Privilege Escalation in Anthropic's Claude Code

On March 25, 2026, a high-severity vulnerability (CVE-2026-33068) was disclosed in Anthropic's @anthropic-ai/claude-code package. With a CVSS v4 score of 8.8, the flaw allowed for a silent workspace trust dialog bypass.

This is a breakdown of how a simple configuration-loading defect led to privilege escalation and how Cantina’s AI-powered application security solution, Apex, autonomously identified the flaw.

The Flaw: Evaluating Untrusted Input Before Establishing Trust

Claude Code utilizes a workspace trust confirmation dialog to ensure users explicitly consent to the permissions granted within a given repository. This is a critical security boundary that prevents malicious repositories from automatically executing tools or code when opened.

The vulnerability (classified under CWE-807: Reliance on Untrusted Inputs in a Security Decision) stemmed from an error in the order of configuration loading. Claude Code resolved the permission mode from local settings files (specifically, the repository-controlled .claude/settings.json)before determining whether to display the workspace trust confirmation dialog.

Because the settings file was evaluated before the trust boundary was established, a malicious repository could include a committed .claude/settings.json file that explicitly set permissions.defaultMode to bypassPermissions.

The Practical Impact: Zero-Click Escalation

The practical impact of this loading order defect was a silent privilege escalation.

If a developer cloned an attacker-controlled repository containing this malicious configuration, the trust dialog would be silently skipped on the very first open. The user would immediately be placed into a permissive mode without ever seeing a confirmation prompt or warning.

This effectively bypassed the core consent mechanism, allowing the attacker-controlled repository to gain tool execution capabilities on the developer's machine with no user interaction required beyond simply cloning the repo.

How Apex Caught It

This type of vulnerability, a logical flaw in the sequence of operations, is notoriously difficult to catch with standard manual code reviews or traditional Static Application Security Testing (SAST) tools. These tools often look for known malicious signatures rather than architectural loading defects.

The vulnerability was identified and reported to HackerOne by Apex.

Apex is your AI-powered application security solution. It understands your codebase, identifies risks, and takes action so your team can ship with confidence.

In this instance, Apex, functioning as Cantina's AI Code Analyzer, mapped the application's startup sequence and data flow. It successfully identified the configuration loading order defect autonomously by recognizing that untrusted, repository-controlled input (the settings.json file) was driving a critical security decision (skipping the trust dialog) before the application had verified user consent.

The Resolution

Anthropic addressed the vulnerability in version 2.1.53 of @anthropic-ai/claude-code. Users on standard Claude Code auto-update received the fix automatically. Users performing manual updates are advised to upgrade to version 2.1.53 or later immediately to ensure workspace trust boundaries are properly enforced.

Start Building with Peace of Mind.

Modern AI coding tools and frameworks require security that understands complex logic and execution flows. Apex acts as an AI-powered safety net that continuously analyzes your codebase, identifies critical risks such as configuration-loading defects, and helps your team ship securely.

Want Apex to secure your code next? Book a demo today.