[BUG] dangerouslyDisableSandbox bypasses sandbox without prompting in auto-allow mode

Resolved 💬 4 comments Opened Mar 17, 2026 by quantkit Closed Apr 15, 2026

Summary

Same issue as #14268 (closed). When Bash is in permissions.allow and sandbox auto-allow is enabled, commands using dangerouslyDisableSandbox: true execute without any user prompt. The sandbox bypass is silently auto-approved alongside the tool itself.

The core problem: autoAllowBashIfSandboxed grants auto-approval because the sandbox is protecting the user. But dangerouslyDisableSandbox: true removes that protection — and the auto-approval still carries through. The precondition for the trust no longer holds, yet the trust persists.

Steps to Reproduce

  1. Enable sandbox with auto-allow mode (/sandbox → option 1)
  2. Add Bash to permissions.allow in ~/.claude/settings.json:

``json
{
"permissions": {
"allow": ["Bash"]
}
}
``

  1. Have Claude attempt to write outside the sandbox: echo "test" > /tmp/sandbox-bypass-test.txt
  2. Sandbox blocks it correctly: operation not permitted
  3. Claude retries with dangerouslyDisableSandbox: true
  4. Command executes — no prompt shown, file is written

Expected Behavior

dangerouslyDisableSandbox: true should trigger a separate permission prompt, regardless of auto-allow status. Sandbox bypass is a different security decision from tool approval. The auto-allow is predicated on the sandbox being active — removing the sandbox should invalidate the auto-allow.

Actual Behavior

Command runs silently. User has no visibility that the sandbox was bypassed.

Environment

  • Claude Code CLI version: 2.1.77
  • Platform: macOS 26.0.1

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗