[BUG]

Resolved 💬 2 comments Opened Feb 20, 2026 by kylesiegelai-a11y Closed Mar 20, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Cowork maintains read/write access to a mounted folder even after all of the following steps:

Force quitting the Claude Desktop app (Cmd+Q and Force Quit)
Revoking the app's access to the Documents folder in macOS System Settings → Privacy & Security → Files and Folders
Reopening the app and starting a new conversation

The folder remains mounted and fully accessible inside the VM. There is no user-facing mechanism to disconnect a folder mid-session, and macOS-level permission changes are not respected by the VM.

What Should Happen?

What should happen?

Force quitting the app should fully tear down the VM and release all folder mounts
Revoking macOS folder permissions should prevent any subsequent session from accessing that folder
A new conversation should never inherit folder mounts from a previous session
Users should have a way to disconnect a mounted folder mid-session without ending the conversation

Error Messages/Logs

none

Steps to Reproduce

Steps to reproduce

Open Claude Desktop, start a Cowork session
Mount a folder inside the Documents directory (e.g., ~/Documents/compiled and done/)
Confirm Claude can read/write files in the folder
Force quit Claude Desktop
Go to macOS System Settings → Privacy & Security → Files and Folders → revoke Claude Desktop's access to Documents
Reopen Claude Desktop, start a new Cowork session
Ask Claude to access a file in the previously mounted folder — it still can

Claude Model

Not sure / Multiple models

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

claude desktop cowork

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Security implications
This undermines the core security model described in Cowork documentation, which states that "Claude can only access folders you select" and "closing the app ends the session." Users currently have no reliable way to revoke folder access once granted.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗