CloudCodeTree LogoCloudCodeTree
AI NewsTutorialsAbout
CloudCodeTree Logo
CloudCodeTree
  • AI News
  • Tutorials
  • About
← Back to AI News
Claude Code 2.1.207 Breaks Hooks That Read User Config: Switch to exec Form Before Your Next Update

Claude Code 2.1.207 Breaks Hooks That Read User Config: Switch to exec Form Before Your Next Update

Chris Harper

1 min read

Jul 12, 2026 · 12:04 UTC

AI
News
Claude Code
Best Practices

Claude Code 2.1.207 (July 11) blocks shell-form hook commands that interpolate ${user_config.*} variables — a targeted security hardening that silently breaks hook configs using that pattern.

The change affects hooks, monitors, and the headersHelper field in MCP server configs. If any of your entries look like this:

{
  "hooks": {
    "PreToolUse": [{"command": "validate-key --token ${user_config.api_token}"}]
  }
}

...that hook will be rejected at startup after updating. Switch to exec form with the args array, or pass the value as a plugin option via CLAUDE_PLUGIN_OPTION_<KEY>:

{
  "hooks": {
    "PreToolUse": [{
      "command": "validate-key",
      "args": ["--token", "$CLAUDE_PLUGIN_OPTION_API_TOKEN"]
    }]
  }
}

The same release also flips Bedrock's default model to Claude Opus 4.8 (previously unset), fixes the auto-updater overwriting custom launcher scripts at ~/.local/bin/claude, and moves auto mode config out of .claude/settings.local.json — use ~/.claude/settings.json for that now.

Why it matters: Hooks that pull from user_config will stop executing silently after upgrading past 2.1.207 — check both .claude/settings.json and ~/.claude/settings.json before your next claude update.

Sources: Claude Code Changelog — code.claude.com