[BUG]Critical Security: Accept All on code changes allows SSH/rm commands on remote servers without new permission prompt

Resolved 💬 6 comments Opened Jan 9, 2026 by oly-tech Closed Feb 24, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When a user clicks "Accept All" during a plan mode approval for local code modifications, this permission unexpectedly carries over to completely unrelated contexts introduced later in the conversation - including SSH commands to remote production servers.

In my case:

  1. I approved a plan to modify local Flutter/Python code
  2. I clicked "Accept All" to allow Claude to edit those files
  3. Much later in the conversation, I provided SSH credentials to transfer files to my production server
  4. Claude executed multiple SSH commands without any permission prompt, including:
  • scp commands to transfer files
  • ssh commands to run remote operations
  • ssh ... "rm -f ..." to delete files on my production server

At no point was I asked to approve SSH access or remote commands. The "Accept All" I gave for local code edits was silently extended to remote server operations.

What Should Happen?

  1. "Accept All" should be scoped to the specific context where it was granted (local file modifications in this case)
  2. Plan mode permissions should reset once the plan is completed/executed
  3. SSH commands to remote servers should ALWAYS require explicit new permission, regardless of previous acceptances
  4. Destructive commands (rm, rm -f, rm -rf) on remote servers should require explicit confirmation even if SSH was previously approved
  5. A new context (remote server) introduced later in conversation should trigger a new permission request

Error Messages/Logs

No error messages - that's the problem. Commands executed silently without permission prompts:

  scp -P 22 /local/path/file.py root@xxxx:/var/www/xxxx/file.py
  ssh -p 22 root@xxxx "chown www-data:www-data /var/www/..."
  ssh -p 22 root@ xxxx "rm -f /var/www/xxxx/file.py"

  All executed with no "Accept/Reject" prompt shown to user.

Steps to Reproduce

  1. Start a new Claude Code conversation
  2. Ask Claude to plan a code modification task (e.g., "Add a new feature to my Flutter app")
  3. When Claude presents the plan and requests permission, click "Accept All"
  4. Let Claude complete the local code modifications
  5. Later in the same conversation, provide SSH credentials: "Transfer these files to my server via SSH: root@x.x.x.x port 22"
  6. Observe: Claude executes SSH/SCP commands without any new permission prompt
  7. Claude may even execute rm commands on your remote server without asking

Claude Model

Opus

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

2.1.2

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Security Impact: CRITICAL

This bug allows Claude to:

  • Access remote servers without explicit permission
  • Execute arbitrary commands on production systems
  • Delete files (rm -f) on remote servers
  • Potentially cause data loss or system damage

Why this happened technically:

  • My SSH public key was already authorized on the server (no password barrier)
  • The "Accept All" from plan mode was never scoped or reset
  • SSH commands go through the Bash tool, which was blanket-approved

Suggested Fixes:

  1. Scope permissions by context: "Accept All" for local files ≠ "Accept All" for remote servers
  2. Reset permissions after plan completion: Plan mode permissions should not persist indefinitely
  3. Special handling for SSH/SCP: Remote server access should always require fresh approval
  4. Warn on destructive remote commands: rm, rm -f, rm -rf on remote hosts should have extra confirmation
  5. Track "new contexts": When a server/host is first mentioned, require new permission grant

The conversation flow was:

[User asks for feature implementation]
[Claude enters plan mode]
[User clicks "Accept All" for code changes] <-- Permission granted here
[Claude modifies local Flutter/Python files]
[Plan completed]
... later ...
[User provides SSH details for deployment for first time during conversation ever mentioning a SSH]
[Claude runs SSH commands WITHOUT asking] <-- Bug: should have asked at least if accept the SSH
[Claude runs rm -f on server WITHOUT asking] <-- Critical: should DEFINITELY have asked

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗