[Bug] allowedTools and disallowedTools configuration ignored in .mcp.json
Resolved 💬 3 comments Opened Jan 24, 2026 by MA-Ambrose Closed Jan 29, 2026
Description
Claude Code ignores allowedTools and disallowedTools fields in .mcp.json, exposing all tools registered by an MCP server regardless of user-defined restrictions.
Reproduction Steps
- Configure an MCP server in
.mcp.jsonwith explicitallowedToolsordisallowedTools:
{
"mcpServers": {
"obsidian-mcp-tools": {
"command": "/path/to/mcp-server",
"allowedTools": [
"mcp__obsidian-mcp-tools__search_vault_simple",
"mcp__obsidian-mcp-tools__get_server_info"
],
"disallowedTools": [
"mcp__obsidian-mcp-tools__delete_vault_file",
"mcp__obsidian-mcp-tools__create_vault_file"
]
}
}
}
- Start a Claude Code session
- Ask Claude: "what MCP tools are available"
Expected Behavior
Only tools in allowedTools should be available (or if using disallowedTools, all tools except those listed).
Actual Behavior
All tools registered by the MCP server are available and callable, ignoring the filtering configuration entirely.
Security Impact
This is a security boundary violation. Users configure tool restrictions to:
- Prevent destructive operations (delete, overwrite)
- Limit scope to read-only or specific operations
- Enforce least-privilege access
When Claude Code advertises a filtering interface but doesn't enforce it, users have a false sense of security while the agent retains full access to restricted operations.
Environment
- Platform: macOS (Darwin 24.6.0)
- Claude Code version: [run
claude --version]
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗