This release includes 2 security fixes for security teams reviewing exposed deployments.
Affected surfaces
ReleasePort's take
Light signal/usage now details per‑category limit consumption; /diff detail view adds keyboard scrolling support.
Why it matters: The /usage breakdown helps developers and SREs monitor resource usage across skills, subagents, plugins, and MCP costs. Keyboard navigation in /diff improves accessibility for all users.
Summary
AI summaryFixed PowerShell permission bypass and sandbox write allowlist overreach.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Fixed PowerShell permission bypass where built‑in `cd` functions changed directory undetected, allowing later commands to read outside workspace Fixed PowerShell permission bypass where built‑in `cd` functions changed directory undetected, allowing later commands to read outside workspace Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Security | Medium |
Fixed sandbox write allowlist in git worktrees to restrict writes to `.git/` (denying `hooks/` and `config`) instead of whole repo root Fixed sandbox write allowlist in git worktrees to restrict writes to `.git/` (denying `hooks/` and `config`) instead of whole repo root Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Security | Medium |
Fixed permission‑analysis gap where stale `PWD`/`OLDPWD`/`DIRSTACK` values were trusted across `cd`, `pushd`, `popd` Fixed permission‑analysis gap where stale `PWD`/`OLDPWD`/`DIRSTACK` values were trusted across `cd`, `pushd`, `popd` Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Feature | Medium |
/usage now shows per-category breakdown of limits usage (skills, subagents, plugins, MCP-server cost) /usage now shows per-category breakdown of limits usage (skills, subagents, plugins, MCP-server cost) Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Feature | Medium |
/diff detail view can be scrolled with keyboard (arrows, j/k, PgUp/PgDn, Space, Home/End) /diff detail view can be scrolled with keyboard (arrows, j/k, PgUp/PgDn, Space, Home/End) Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Feature | Medium |
Markdown output renders GFM task list checkboxes (`- [ ]` / `- [x]`) instead of plain bullets Markdown output renders GFM task list checkboxes (`- [ ]` / `- [x]`) instead of plain bullets Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Feature | Medium |
Enterprise setting `allowAllClaudeAiMcps` added to load claude.ai cloud MCP connectors alongside `managed-mcp.json` Enterprise setting `allowAllClaudeAiMcps` added to load claude.ai cloud MCP connectors alongside `managed-mcp.json` Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Feature | Medium |
/feedback reports now include pre‑compaction conversation for easier triage of early issues /feedback reports now include pre‑compaction conversation for easier triage of early issues Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Performance | Medium |
Fixed `find` in Bash tool exhausting macOS vnode table and crashing host on large directory trees Fixed `find` in Bash tool exhausting macOS vnode table and crashing host on large directory trees Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Bugfix | Medium |
Fixed PowerShell prefix/wildcard allow rules not pre‑approving native executables and scripts (e.g., `PowerShell(dotnet.exe build *)`) Fixed PowerShell prefix/wildcard allow rules not pre‑approving native executables and scripts (e.g., `PowerShell(dotnet.exe build *)`) Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Bugfix | Medium |
Fixed managed‑settings approval dialog leaving terminal frozen after accepting at startup Fixed managed‑settings approval dialog leaving terminal frozen after accepting at startup Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Bugfix | Medium |
Fixed `/ultraplan` and remote session creation failing with “Could not capture uncommitted changes” when working tree has no real changes Fixed `/ultraplan` and remote session creation failing with “Could not capture uncommitted changes” when working tree has no real changes Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Bugfix | Medium |
Fixed `otelHeadersHelper` silently failing when script path contains spaces; errors now reported in `/doctor` and debug log Fixed `otelHeadersHelper` silently failing when script path contains spaces; errors now reported in `/doctor` and debug log Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Bugfix | Medium |
/insights no longer crashes when cached session‑meta files miss optional fields /insights no longer crashes when cached session‑meta files miss optional fields Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Bugfix | Medium |
Fixed renaming a Remote Control session from claude.ai or mobile app not updating local session name for `claude --resume` Fixed renaming a Remote Control session from claude.ai or mobile app not updating local session name for `claude --resume` Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Bugfix | Medium |
Fixed thinking spinner remaining amber across tool calls and onto fresh thinking bursts Fixed thinking spinner remaining amber across tool calls and onto fresh thinking bursts Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Bugfix | Medium |
Fixed collapsed Bash output reporting incorrect hidden‑line count for outputs with many short lines Fixed collapsed Bash output reporting incorrect hidden‑line count for outputs with many short lines Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Bugfix | Medium |
Fixed slash‑command argument hint clipping trailing typed characters when hint overflows input box Fixed slash‑command argument hint clipping trailing typed characters when hint overflows input box Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Bugfix | Medium |
Fixed argument‑hint and progressive arg suggestions not appearing after Tab‑completing a skill whose frontmatter `name:` differs from directory basename Fixed argument‑hint and progressive arg suggestions not appearing after Tab‑completing a skill whose frontmatter `name:` differs from directory basename Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Bugfix | Medium |
Fixed status bar showing baseline `/effort` instead of effort level applied by skill/agent `effort:` frontmatter Fixed status bar showing baseline `/effort` instead of effort level applied by skill/agent `effort:` frontmatter Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Bugfix | Medium |
Fixed Ctrl+O transcript view freezing at open instead of tailing new messages Fixed Ctrl+O transcript view freezing at open instead of tailing new messages Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Bugfix | Medium |
Fixed editing a recalled prompt‑history entry losing edit when navigating further with arrow keys Fixed editing a recalled prompt‑history entry losing edit when navigating further with arrow keys Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Bugfix | Medium |
Fixed `/config` exit summary reporting phantom changes to auto‑compact and theme when toggling unrelated settings Fixed `/config` exit summary reporting phantom changes to auto‑compact and theme when toggling unrelated settings Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Bugfix | Medium |
Fixed malformed PowerShell and History tool calls with missing input being mis‑classified as reads in transcript collapsing Fixed malformed PowerShell and History tool calls with missing input being mis‑classified as reads in transcript collapsing Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Bugfix | Medium |
Fixed race where a just‑submitted prompt could appear twice in up‑arrow history Fixed race where a just‑submitted prompt could appear twice in up‑arrow history Source: llm_adapter@2026-05-23 Confidence: low |
— |
| Bugfix | Medium |
Fixed “Jump to bottom” pill not dismissing immediately when tapped in fullscreen mode Fixed “Jump to bottom” pill not dismissing immediately when tapped in fullscreen mode Source: llm_adapter@2026-05-23 Confidence: low |
— |
Full changelog
What's changed
/usagenow shows a per-category breakdown of what's driving your limits usage — skills, subagents, plugins, and per-MCP-server cost/diffdetail view can now be scrolled with the keyboard (arrows,j/k,PgUp/PgDn,Space,Home/End)- Markdown output now renders GFM task list checkboxes (
- [ ] todo/- [x] done) instead of plain bullets - Enterprise: added the
allowAllClaudeAiMcpsmanaged setting to load claude.ai cloud MCP connectors alongsidemanaged-mcp.json - Fixed a PowerShell permission bypass: built-in
cdfunctions (cd..,cd\,cd~,X:) changed the working directory undetected, letting a later command read outside the workspace - Fixed the sandbox write allowlist in git worktrees covering the entire main repository root instead of only the shared
.gitdirectory (withhooks/andconfigdenied) - Fixed PowerShell prefix/wildcard allow rules (e.g.
PowerShell(dotnet.exe build *)) not pre-approving native executables and scripts - Fixed a permission-analysis gap where the parser trusted stale variable-tracking values for
PWD/OLDPWD/DIRSTACKacrosscd/pushd/popd - Fixed
findin the Bash tool exhausting the macOS system file/vnode table and crashing the host on large directory trees - Fixed the managed-settings approval dialog leaving the terminal frozen after accepting at startup
- Fixed
/ultraplanand remote session creation failing with "Could not capture uncommitted changes" when the working tree has no real changes - Fixed
otelHeadersHelperfailing silently when the script path contains spaces; helper failures are now reported in/doctorand the debug log - Fixed the thinking spinner staying amber across tool calls and onto fresh thinking bursts
- Fixed collapsed Bash output reporting the wrong hidden-line count for outputs with many short lines
- Fixed slash-command argument-hint clipping trailing typed characters when the hint overflows the input box
- Fixed argument-hint and progressive arg suggestions not appearing after Tab-completing a skill whose frontmatter
name:differs from its directory basename - Fixed the status bar showing the user's baseline
/effortsetting instead of the effort level applied by skill/agenteffort:frontmatter - Fixed Ctrl+O transcript view freezing at the moment it was opened instead of tailing new messages
- Fixed editing a recalled prompt-history entry losing the edit when navigating further up/down with arrow keys
- Fixed
/configexit summary reporting phantom changes to auto-compact and theme when toggling unrelated settings - Fixed
/insightscrashing when cached session-meta files are missing optional fields - Fixed malformed PowerShell and History tool calls with missing input being misclassified as reads in transcript collapsing
- Fixed renaming a Remote Control session from claude.ai or the Claude mobile app not updating the local session name for
claude --resume - Fixed a race where a just-submitted prompt could appear twice in the up-arrow history
- Fixed tapping the "Jump to bottom" pill in fullscreen mode not dismissing it immediately
- Improved
/feedbackreports to include the conversation that happened before context compaction, making issues from earlier in long sessions easier to triage
Security Fixes
- Fixed PowerShell permission bypass: built-in `cd` functions (`cd..`, `cd\`, `cd~`, drive letter) changed the working directory undetected, allowing later commands to read outside the workspace
- Fixed sandbox write allowlist in git worktrees covering entire repository root instead of only `.git` (with `hooks/` and `config` denied)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About claude-code
All releases →Related context
Related tools
Earlier breaking changes
- v2.1.160 Renames dynamic‑workflow trigger keyword from `workflow` to `ultracode`; `workflow` no longer triggers a run
- v2.1.160 Deprecates and removes the `CLAUDE_CODE_OPUS_4_6_FAST_MODE_OVERRIDE` environment variable; it is now a no‑op
- v2.1.147 Renames /simplify to /code-review; removes cleanup-and-fix behavior.
Beta — feedback welcome: [email protected]