Security Hardening Across Skills, Sandboxing, and MCP Trust
Claude CodeClaude Code v2.1.69 ships three distinct security fixes targeting separate attack surfaces: nested skill discovery that could load skills from gitignored directories like node_modules, a symlink bypass allowing writes outside the working directory in acceptEdits mode, and a trust dialog regression that silently enabled all .mcp.json servers on first run without per-server approval. Each fix closes a different class of privilege or scope escalation vulnerability exploitable via malicious project configurations or crafted repositories.
Sources & Mentions
4 external resources covering this update
Three Security Fixes Land in Claude Code v2.1.69
Claude Code v2.1.69 addresses three distinct security vulnerabilities across the skills system, file sandboxing, and MCP server trust management. Together they represent a targeted hardening pass across multiple distinct attack surfaces in a single release.
Fix 1: Nested Skill Discovery From Gitignored Directories
Claude Code's skill discovery system recursively searches for SKILL.md files in the project tree to surface available skills. A bug allowed this discovery to traverse into gitignored directories — most significantly node_modules — meaning a malicious npm package could embed a SKILL.md file designed to inject unauthorized instructions or expand Claude's tool permissions without the developer's knowledge. The fix limits skill discovery to non-gitignored directories, closing the supply-chain vector entirely.
Fix 2: Symlink Bypass in acceptEdits Mode
In acceptEdits mode, Claude Code automatically accepts file write operations without a per-operation prompt. A symlink bypass allowed writing new files through a symlinked parent directory to escape the declared working directory, potentially modifying files outside the project root. The fix validates the resolved write target against the working directory boundary before accepting any edit, regardless of whether the path traverses a symlink.
Fix 3: MCP Trust Dialog Silent-Enablement
The MCP trust dialog — which is supposed to require explicit per-server approval before any .mcp.json-defined server becomes active — was silently enabling all configured servers on first run. Opening a project containing a crafted .mcp.json file would connect all listed MCP servers without user confirmation, bypassing the approval flow entirely. The fix ensures the per-server approval dialog appears as expected on every first open, even when enableAllProjectMcpServers or enabledMcpServers are present in repository configuration.
Broader Context
These fixes arrive in the aftermath of publicly disclosed CVE-2025-59536 and CVE-2026-21852, two remote code execution vulnerabilities in Claude Code's hook and project file system documented by Check Point Research in February 2026. The v2.1.69 changes address distinct attack surfaces from those CVEs, indicating that Anthropic's security hardening work is actively progressing across multiple areas of the codebase in parallel.