Technical description
Claude Code version 2.1 weakened its trust dialog, allowing malicious repositories to auto-approve and immediately launch MCP servers with full developer privileges. A repository can embed a malicious MCP server and configuration settings that execute arbitrary code the moment a developer presses Enter on a generic 'trust this folder' prompt. In CI/CD environments with auto-trust, no user interaction is required.
Attack vector
Attacker creates a GitHub repository containing a malicious MCP server and project-scoped configuration that auto-approves execution. When a developer clones or opens the repo in Claude Code and accepts the trust dialog (default: 'Trust'), the MCP server launches with unsandboxed OS process privileges. Payload can exfiltrate SSH keys, secrets, tokens, install backdoors, and establish C2. Attack also works zero-click in CI/CD pipelines.
Affected systems
Claude Code version 2.1 and later. Prior versions warned explicitly about MCP execution and offered an option to proceed with MCP disabled; both warnings were removed in 2.1. Adversa AI disclosed the issue May 7, 2026 as 'TrustFall'. Three prior CVEs (CVE-2025-59536, CVE-2026-21852, CVE-2026-33068) addressed similar issues but not the underlying class.
Mitigation
Downgrade to Claude Code pre-2.1 if possible, or disable MCP servers entirely until Anthropic issues a patch. Never clone or review untrusted repositories with Claude Code running. In CI/CD, explicitly disable project-scoped MCP approvals. Enterprises should sandbox developer environments and monitor for unusual process spawns from Claude Code. Anthropic has characterized the issue as outside its threat model, asserting the trust dialog provides sufficient warning.