A deep-dive into CVE-2026-33068 — the flaw that let a single malicious CLAUDE.md file bypass every deny rule you configured, and silently walk away with your API keys.