This release includes 1 security fix for security teams reviewing exposed deployments.
Affected surfaces
Summary
AI summaryFixed permission‑prompt bypass that auto‑approved bare variable assignments to non‑allowlisted environment variables in Bash commands.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
`claude agents --json` added to list live Claude sessions as JSON for scripting. `claude agents --json` added to list live Claude sessions as JSON for scripting. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Medium |
`agent_id` and `parent_agent_id` attributes added to `claude_code.tool` OTEL spans. `agent_id` and `parent_agent_id` attributes added to `claude_code.tool` OTEL spans. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Medium |
Status line JSON input now includes GitHub repo and PR information when detected. Status line JSON input now includes GitHub repo and PR information when detected. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Medium |
`/plugin` Discover and Browse screens show plugin commands, agents, skills, hooks, and MCP/LSP servers before installation. `/plugin` Discover and Browse screens show plugin commands, agents, skills, hooks, and MCP/LSP servers before installation. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Medium |
`claude agents` terminal tab title shows awaiting-input count for attention. `claude agents` terminal tab title shows awaiting-input count for attention. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | Medium |
Slash command and @-mention suggestion list supports mouse hover and click in fullscreen mode. Slash command and @-mention suggestion list supports mouse hover and click in fullscreen mode. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Performance | Medium |
Read tool now returns truncated first page with "PARTIAL view" notice instead of hard error when file exceeds token limit. Read tool now returns truncated first page with "PARTIAL view" notice instead of hard error when file exceeds token limit. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Bugfix | Medium |
MCP prompt slash commands now show named missing argument errors with usage when required argument omitted. MCP prompt slash commands now show named missing argument errors with usage when required argument omitted. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Bugfix | Medium |
Cross-project resume hint failure in default Windows PowerShell 5.1 fixed; uses `;` as command separator on Windows. Cross-project resume hint failure in default Windows PowerShell 5.1 fixed; uses `;` as command separator on Windows. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Bugfix | Medium |
Agent Teams teammates with non-ASCII names no longer fail API calls due to invalid header encoding. Agent Teams teammates with non-ASCII names no longer fail API calls due to invalid header encoding. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Bugfix | Medium |
`claude plugin validate` flags skills: entries pointing at a file instead of a directory, suggesting parent directory. `claude plugin validate` flags skills: entries pointing at a file instead of a directory, suggesting parent directory. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Bugfix | Medium |
Permission-prompt bypass fixed for bare variable assignments to non-allowlisted environment variables in Bash commands. Permission-prompt bypass fixed for bare variable assignments to non-allowlisted environment variables in Bash commands. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Bugfix | Medium |
Spinner and elapsed-time display freezing fixed after terminal resize or refocus. Spinner and elapsed-time display freezing fixed after terminal resize or refocus. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Bugfix | Medium |
Voice push-to-talk issue in agent view's reply pane resolved. Voice push-to-talk issue in agent view's reply pane resolved. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Bugfix | Medium |
Task lists rendering in random order when several tasks created at once fixed. Task lists rendering in random order when several tasks created at once fixed. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Bugfix | Medium |
Stale "Failed to install Anthropic marketplace" banner removed when marketplace already installed. Stale "Failed to install Anthropic marketplace" banner removed when marketplace already installed. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Bugfix | Medium |
PR badge in footer now updates immediately after `gh pr create` and other PR-state-changing commands. PR badge in footer now updates immediately after `gh pr create` and other PR-state-changing commands. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Bugfix | Medium |
`/review` now uses non-deprecated `projectCards` GraphQL query, fixing errors on repos with Classic Projects. `/review` now uses non-deprecated `projectCards` GraphQL query, fixing errors on repos with Classic Projects. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Bugfix | Medium |
Infinite loop where skill using `context: fork` repeatedly re-invoked itself fixed. Infinite loop where skill using `context: fork` repeatedly re-invoked itself fixed. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
Full changelog
What's changed
- Added
claude agents --jsonto list live Claude sessions as JSON for scripting (tmux-resurrect, status bars, session pickers) - Added
agent_idandparent_agent_idattributes toclaude_code.toolOTEL spans, and fixed trace parenting so background subagent spans nest under the dispatching Agent tool span - Status line JSON input now includes GitHub repo and PR information when detected
/pluginDiscover and Browse screens now show a plugin's commands, agents, skills, hooks, and MCP/LSP servers before installationclaude agentsterminal tab title now shows the awaiting-input count so an alt-tabbed window tells you when an agent needs attention- Slash command and @-mention suggestion list now supports mouse hover and click in fullscreen mode
- Stop and SubagentStop hook input now includes
background_tasksandsession_cronsfields - Fixed a permission-prompt bypass where bare variable assignments to non-allowlisted environment variables in Bash commands were auto-approved
- Fixed MCP prompt slash commands showing raw server validation errors when a required argument is omitted — the error now names the missing argument and shows expected usage
- Fixed the spinner and elapsed-time display freezing until a keypress after the terminal was resized or refocused
- Fixed the cross-project resume hint failing in default Windows PowerShell 5.1 — Windows now uses
;as the command separator - Fixed voice push-to-talk not working in the agent view's reply pane
- Fixed task lists rendering in random order when several tasks are created at once
- Fixed stale "Failed to install Anthropic marketplace" banner showing when the marketplace is already installed
- Fixed the PR badge in the footer not updating immediately after
gh pr createand other PR-state-changing commands run in-session - Fixed Agent Teams teammates with non-ASCII names failing every API call due to invalid header encoding
- Fixed
/reviewusing a deprecatedprojectCardsGraphQL query that errored on repos with Classic Projects - Fixed
claude plugin validatenot flaggingskills:entries that point at a file instead of a directory — the error now suggests the parent directory - Fixed an infinite loop where a skill using
context: forkcould repeatedly re-invoke itself instead of running - Improved the Read tool to return a truncated first page with a "PARTIAL view" notice instead of a hard error when a whole-file read exceeds the token limit
Security Fixes
- Fixed permission-prompt bypass that auto-approved bare variable assignments to non-allowlisted environment variables in Bash commands
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About claude-code
All releases →Related context
Related tools
Earlier breaking changes
- v2.1.160 Renames dynamic‑workflow trigger keyword from `workflow` to `ultracode`; `workflow` no longer triggers a run
- v2.1.160 Deprecates and removes the `CLAUDE_CODE_OPUS_4_6_FAST_MODE_OVERRIDE` environment variable; it is now a no‑op
- v2.1.147 Renames /simplify to /code-review; removes cleanup-and-fix behavior.
Beta — feedback welcome: [email protected]