autoAllowBashIfSandboxed auto-approves commands that disable the sandbox
Preflight
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When autoAllowBashIfSandboxed: true is set, Bash commands with dangerouslyDisableSandbox: true are auto-approved without prompting. The user should be prompted, since the sandbox — the safety mechanism that justifies auto-approval — is explicitly bypassed.
This creates a path where the model can escalate its own permissions without user approval: sandbox failure → unsandboxed retry → auto-approved.
What Should Happen?
The retry with dangerouslyDisableSandbox: true should prompt the user. autoAllowBashIfSandboxed should only auto-approve commands that are actually running inside the sandbox.
Error Messages/Logs
Get "https://api.github.com/zen": tls: failed to verify certificate: x509: OSStatus -26276
Steps to Reproduce
- Set the following in
~/.claude/settings.json:
``json``
{
"permissions": {
"allow": []
},
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true,
"network": {
"allowedDomains": ["github.com"]
}
}
}
- Ask Claude to run a
ghCLI command (e.g., "rungh api /zen") - The command fails due to sandbox network restrictions (TLS certificate verification failure)
- The model identifies this as a sandbox-caused failure and retries with
dangerouslyDisableSandbox: true - The command auto-approves and executes without prompting the user
Claude Model
Opus
Is this a regression?
I don't know
Claude Code Version
2.1.52 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
VS Code integrated terminal
Additional Information
The model's built-in instructions tell it to "IMMEDIATELY retry with dangerouslyDisableSandbox: true" when it detects sandbox-caused failures, and state "This will prompt the user for permission." In practice, the prompt doesn't appear — autoAllowBashIfSandboxed applies regardless of whether the sandbox is active for that command.
Related: #19375 — similar gap in how autoAllowBashIfSandboxed interacts with the permission system
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗