Security: dangerouslyDisableSandbox bypasses permission prompts when tool is auto-approved

Resolved 💬 7 comments Opened Dec 17, 2025 by shawnsw Closed Mar 14, 2026

Security Issue: dangerouslyDisableSandbox bypasses permission prompts when tool is auto-approved

Summary

When dangerouslyDisableSandbox: true is used with the Bash tool, and Bash is in the user's auto-approved tools list, the sandbox bypass executes without any user confirmation. This allows file operations outside the project directory without user awareness.

Environment

  • Claude Code CLI
  • Bash tool in auto-approved list

Steps to Reproduce

  1. Configure Bash as an auto-approved tool (common setup for reduced friction)
  2. Create a test file outside project directory: touch ~/test1
  3. Have Claude attempt to delete it with sandbox enabled:

``text
Bash(rm ~/test1)
→ Error: Operation not permitted (sandbox blocked correctly)
``

  1. Have Claude retry with sandbox disabled:

``text
Bash(rm ~/test1, dangerouslyDisableSandbox: true)
→ File deleted, no user prompt
``

Expected Behavior

dangerouslyDisableSandbox: true should trigger an independent permission confirmation, regardless of whether the tool itself is auto-approved. The sandbox bypass is a separate security decision from tool approval.

Suggested flow:

Claude wants to run: rm ~/test1
⚠️  Sandbox bypass requested - this command will run without filesystem restrictions
[Allow once] [Allow for session] [Deny]

Actual Behavior

Command executes immediately without any user confirmation because Bash is auto-approved. The dangerouslyDisableSandbox flag silently bypasses the sandbox.

Security Impact

  • Medium severity: Requires Claude to intentionally set the flag, but user has no visibility
  • Files outside project directory can be read/modified/deleted without user awareness
  • User's trust model assumes sandbox protects against operations outside allowed paths
  • Auto-approving Bash (common for workflow efficiency) inadvertently grants sandbox bypass

Suggested Fix

Decouple sandbox bypass authorization from tool authorization:

  1. dangerouslyDisableSandbox: true should always require explicit user confirmation
  2. This confirmation should be separate from the tool's auto-approval status
  3. Consider adding a session-level or project-level setting: "Allow sandbox bypass for this project"

Related

  • Sandbox configuration documentation
  • Tool auto-approval settings

View original on GitHub ↗

This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗