[BUG]Critical Security: Accept All on code changes allows SSH/rm commands on remote servers without new permission prompt
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When a user clicks "Accept All" during a plan mode approval for local code modifications, this permission unexpectedly carries over to completely unrelated contexts introduced later in the conversation - including SSH commands to remote production servers.
In my case:
- I approved a plan to modify local Flutter/Python code
- I clicked "Accept All" to allow Claude to edit those files
- Much later in the conversation, I provided SSH credentials to transfer files to my production server
- Claude executed multiple SSH commands without any permission prompt, including:
- scp commands to transfer files
- ssh commands to run remote operations
- ssh ... "rm -f ..." to delete files on my production server
At no point was I asked to approve SSH access or remote commands. The "Accept All" I gave for local code edits was silently extended to remote server operations.
What Should Happen?
- "Accept All" should be scoped to the specific context where it was granted (local file modifications in this case)
- Plan mode permissions should reset once the plan is completed/executed
- SSH commands to remote servers should ALWAYS require explicit new permission, regardless of previous acceptances
- Destructive commands (rm, rm -f, rm -rf) on remote servers should require explicit confirmation even if SSH was previously approved
- A new context (remote server) introduced later in conversation should trigger a new permission request
Error Messages/Logs
No error messages - that's the problem. Commands executed silently without permission prompts:
scp -P 22 /local/path/file.py root@xxxx:/var/www/xxxx/file.py
ssh -p 22 root@xxxx "chown www-data:www-data /var/www/..."
ssh -p 22 root@ xxxx "rm -f /var/www/xxxx/file.py"
All executed with no "Accept/Reject" prompt shown to user.
Steps to Reproduce
- Start a new Claude Code conversation
- Ask Claude to plan a code modification task (e.g., "Add a new feature to my Flutter app")
- When Claude presents the plan and requests permission, click "Accept All"
- Let Claude complete the local code modifications
- Later in the same conversation, provide SSH credentials: "Transfer these files to my server via SSH: root@x.x.x.x port 22"
- Observe: Claude executes SSH/SCP commands without any new permission prompt
- Claude may even execute rm commands on your remote server without asking
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
2.1.2
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
Security Impact: CRITICAL
This bug allows Claude to:
- Access remote servers without explicit permission
- Execute arbitrary commands on production systems
- Delete files (rm -f) on remote servers
- Potentially cause data loss or system damage
Why this happened technically:
- My SSH public key was already authorized on the server (no password barrier)
- The "Accept All" from plan mode was never scoped or reset
- SSH commands go through the Bash tool, which was blanket-approved
Suggested Fixes:
- Scope permissions by context: "Accept All" for local files ≠ "Accept All" for remote servers
- Reset permissions after plan completion: Plan mode permissions should not persist indefinitely
- Special handling for SSH/SCP: Remote server access should always require fresh approval
- Warn on destructive remote commands: rm, rm -f, rm -rf on remote hosts should have extra confirmation
- Track "new contexts": When a server/host is first mentioned, require new permission grant
The conversation flow was:
[User asks for feature implementation]
[Claude enters plan mode]
[User clicks "Accept All" for code changes] <-- Permission granted here
[Claude modifies local Flutter/Python files]
[Plan completed]
... later ...
[User provides SSH details for deployment for first time during conversation ever mentioning a SSH]
[Claude runs SSH commands WITHOUT asking] <-- Bug: should have asked at least if accept the SSH
[Claude runs rm -f on server WITHOUT asking] <-- Critical: should DEFINITELY have asked
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗