Permission deny rules not enforced for Bash commands
Resolved 💬 5 comments Opened Feb 13, 2026 by jharshman Closed Feb 17, 2026
Bug Description
Claude Code is not respecting the deny rules configured in .claude/settings.json for Bash commands.
Steps to Reproduce
- Configure
.claude/settings.jsonwith a deny rule for gcloud:
{
"permissions": {
"deny": [
"Bash(*gcloud*)"
]
}
}
- Ask Claude to run a gcloud command (e.g.,
run gcloud -horgcloud) - Claude executes the command despite it being in the deny list
Expected Behavior
Commands matching patterns in the deny list should be blocked and never execute, regardless of other settings like dangerouslyDisableSandbox.
Actual Behavior
Claude successfully executed gcloud -h and gcloud commands even though Bash(*gcloud*) is explicitly denied in settings.json.
Configuration
{
"defaultMode": "dontAsk",
"permissions": {
"allow": [...],
"deny": [
"Bash(*kubectl*)",
"Bash(*terraform*)",
"Bash(*aws*)",
"Bash(*gcloud*)",
"Bash(*sudo*)",
"Bash(*rm*)",
...
],
"ask": [...]
},
"sandbox": {
"enabled": false,
"autoAllowBashIfSandboxed": false,
"allowUnsandboxedCommands": false
},
"disableBypassPermissionsMode": "enforce"
}
Impact
This is a security issue as it allows bypassing user-configured safety restrictions for dangerous commands like kubectl, terraform, aws, gcloud, sudo, rm, etc.
Environment
- Claude Code version: [unknown from session]
- Platform: macOS (Darwin 25.1.0)
- Model: claude-sonnet-4-5-20250929
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗