[BUG] Claude can bypass "no nesting" rule and/or `deny` permissions via env variable prefix

Resolved 💬 2 comments Opened Mar 6, 2026 by tylerlaprade Closed Mar 6, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

<img width="1566" height="246" alt="Image" src="https://github.com/user-attachments/assets/84723141-f216-4fd7-9561-9d54cb176587" />

<img width="1452" height="1174" alt="Image" src="https://github.com/user-attachments/assets/ab851f26-e896-4fcd-993d-618b37e10de5" />

What Should Happen?

Forbidden actions should still be forbidden

Error Messages/Logs

Steps to Reproduce

  1. Tell Claude to do something he can't do, e.g. calling claude himself or any command in your deny settings.
  2. Observe that he's blocked.
  3. Tell him he can bypass it via an ENV variable prefix
  4. Observe that he can do the forbidden action

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.70

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Other

Additional Information

It happens on claude.ai/code as well

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗