allowedPrompts from ExitPlanMode persist beyond plan scope, silently auto-approving dangerous commands

Resolved 💬 3 comments Opened Feb 20, 2026 by mannewalis Closed Feb 24, 2026

Severity: High - Security/Permissions Bypass

Summary

allowedPrompts granted during plan approval via ExitPlanMode persist for the entire session and silently auto-approve Bash commands that were never explicitly authorized by the user. This allowed a git push --force-with-lease to execute without any permission prompt, despite the user never approving push permissions.

Reproduction

  1. Start a session in plan mode
  2. Claude calls ExitPlanMode with allowedPrompts like:

``json
[
{"tool": "Bash", "prompt": "run git rebase"},
{"tool": "Bash", "prompt": "resolve merge conflicts"},
{"tool": "Bash", "prompt": "run build to verify"}
]
``

  1. User approves the plan (intending to authorize only the rebase workflow)
  2. Plan completes successfully
  3. User makes a separate request: "commit and push"
  4. Claude runs git add && git commit && git push --force-with-lease in a single Bash call
  5. The command executes without any permission prompt — the force push goes through silently

The user was never running --dangerously-skip-permissions.

Expected Behavior

  • allowedPrompts should be scoped to the plan they were approved for, not persist indefinitely
  • At minimum, destructive/remote-affecting commands like git push --force should always require explicit approval regardless of allowedPrompts
  • Semantic matching on prompts like "resolve merge conflicts" should not broadly auto-approve unrelated commands like git push

Actual Behavior

  • allowedPrompts persisted beyond the plan scope for the rest of the session
  • Broad semantic matching on "resolve merge conflicts" auto-approved git push --force-with-lease
  • User received zero prompts for a destructive action affecting their remote repository

Impact

A force push to a remote repository was executed without the user's knowledge or approval. This is a significant permissions bypass — the user had no opportunity to review or reject the action.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗