[Bug] allowedTools and disallowedTools configuration ignored in .mcp.json

Resolved 💬 3 comments Opened Jan 24, 2026 by MA-Ambrose Closed Jan 29, 2026

Description

Claude Code ignores allowedTools and disallowedTools fields in .mcp.json, exposing all tools registered by an MCP server regardless of user-defined restrictions.

Reproduction Steps

  1. Configure an MCP server in .mcp.json with explicit allowedTools or disallowedTools:
{
  "mcpServers": {
    "obsidian-mcp-tools": {
      "command": "/path/to/mcp-server",
      "allowedTools": [
        "mcp__obsidian-mcp-tools__search_vault_simple",
        "mcp__obsidian-mcp-tools__get_server_info"
      ],
      "disallowedTools": [
        "mcp__obsidian-mcp-tools__delete_vault_file",
        "mcp__obsidian-mcp-tools__create_vault_file"
      ]
    }
  }
}
  1. Start a Claude Code session
  2. Ask Claude: "what MCP tools are available"

Expected Behavior

Only tools in allowedTools should be available (or if using disallowedTools, all tools except those listed).

Actual Behavior

All tools registered by the MCP server are available and callable, ignoring the filtering configuration entirely.

Security Impact

This is a security boundary violation. Users configure tool restrictions to:

  • Prevent destructive operations (delete, overwrite)
  • Limit scope to read-only or specific operations
  • Enforce least-privilege access

When Claude Code advertises a filtering interface but doesn't enforce it, users have a false sense of security while the agent retains full access to restricted operations.

Environment

  • Platform: macOS (Darwin 24.6.0)
  • Claude Code version: [run claude --version]

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗