Should you update Claude Code right now? Yes. The latest patch landed with v2.1.193 on June 25, 2026, which tightened how auto mode handles shell commands, and the earlier arbitrary code execution fixes shipped in v2.0.71 on December 16, 2025. Recent releases also patched a permission bypass where a backslash-escaped flag could be auto-allowed as read-only and lead to arbitrary code looking execution. Running an old build means those holes are still open on your machine.
The update covers Claude Code everywhere it runs: the terminal CLI, the desktop app, and Claude Code on the web at claude.ai. Web and cloud sessions update on Anthropic’s side automatically, so the one you actually need to check is your local install. Run claude --version and update. Takes under a minute.
What Did The Update Actually Fix?
Several ways Claude Code could run commands it was never supposed to run. The permission hardening covered compound Bash commands bypassing safety prompts, env-var prefixes not prompting, redirects to /dev/tcp auto-allowing, and piped cd segments downgrading deny rules. Each of those sounds small on its own, and that’s kind of the point. None of them looked dangerous in a terminal window, all of them let code execute without you approving it.
There’s history here too. Security researchers at Sonar found two critical flaws that let attackers execute arbitrary code just by tricking a user into running Claude Code inside a malicious project folder, bypassing the trust dialog entirely. Anthropic patched those on December 16, 2025, and the fixes landed in v2.0.71. So the pattern is established: cloning an untrusted repo and opening Claude in it used to be enough to compromise a dev machine. The only defense is staying current.
What Changed For Auto Mode And Shell Commands?
Auto mode got stricter about code execution. Version 2.1.193, released June 25, 2026, added an autoMode.classifyAllShell setting that routes all Bash and PowerShell commands through the auto-mode classifier, instead of only checking commands that match known arbitrary-code-execution patterns. Before this, the classifier only looked at the obviously risky stuff. Now you can make it look at everything.
Anthropic also explained the thinking behind auto mode itself. On entering auto mode, Claude Code drops permission rules known to grant arbitrary code execution, including blanket shell access, wildcarded script interpreters like python and node, and package manager run commands. One guy’s convenient allow-rule is an attacker’s front door, basically.
What Should You Do After Updating?

Three things, none of them hard:
- Run
claude --versionand confirm you’re on a current 2.1.x build. - If you use auto mode heavily, turn on
autoMode.classifyAllShellso every shell command gets checked, not just the flagged patterns. - Stop using
--dangerously-skip-permissionsoutside containers. Anthropic’s own docs say to only use bypass mode in isolated environments like containers or VMs without internet access, where Claude Code cannot damage your host system.
Does The Update Cost Anything?
No. The update itself is free on every plan, and it ships through the normal auto-update channel. Your existing subscription is what you keep paying: Pro sits around $20 a month, Max plans run $100 to $200 a month, and API usage is billed per token separately. There is no separate charge for security patches, which is one more reason there’s no excuse to sit on an old version.
