GHSA-mmgp-wc2j-qcv7 (Penligent)

• Entity ID: ent-20260419-1c19c4a14e0e
• Type: issue
• Scope: shared
• Status: active
• Aliases: Penligent bypass, directory-change permission bypass

Description

Vulnerability documented by Penligent: Claude Code resolves permission mode from settings files including repo-controlled ones, enabling a directory-change-based bypass of protected writes. Same architectural failure pattern as CVE-2025-59536 — repo-controlled configuration takes effect before trust is established.

Key claims

• Repo-controlled config takes effect before trust is established

Relations

• CVE-2025-59536 --[related_to]--> GHSA-mmgp-wc2j-qcv7 (Penligent)

Sources

src-20260419-16b155f4f619