v2.1.149

Source: Anthropic Claude Code Date: 2026-05-22 URL: https://github.com/anthropics/claude-code/releases/tag/v2.1.149

Summary

Claude Code v2.1.149 (released 2026-05-22) is a security-and-usability release with two notable security fixes. A PowerShell permission bypass was closed: built-in cd variants (cd.., cd\, cd~, drive-letter shortcuts) were changing the working directory undetected, letting subsequent commands read outside the workspace. A sandbox write-allowlist bug in git worktrees was also patched — it was covering the entire main repository root instead of only the shared .git directory. On the usability side, /usage now shows per-category cost breakdowns (skills, subagents, plugins, per-MCP-server), and the /diff detail view is now keyboard-scrollable.

Implications

Feeds the coding-agent landscape and agentic orchestration patterns threads:

• The two PowerShell security fixes are load-bearing for enterprise deployments on Windows: a permission bypass that lets an agent read outside its workspace is a blocker for regulated environments, and closing it signals Anthropic is actively hardening the Windows surface
• The worktree sandbox fix matters specifically for multi-agent setups that use worktrees for task isolation — the prior behavior undermined the isolation guarantee
• /usage per-category breakdown is the first step toward cost attribution across complex agent topologies; this is a prerequisite for organizations managing multiple concurrent agent sessions
• The enterprise allowAllClaudeAiMcps managed setting enables cloud MCP connectors alongside managed-mcp.json, which lowers the friction for IT-managed deployments to adopt the MCP ecosystem