[BUG] dangerouslyDisableSandbox bypasses sandbox without prompting in auto-allow mode
Summary
Same issue as #14268 (closed). When Bash is in permissions.allow and sandbox auto-allow is enabled, commands using dangerouslyDisableSandbox: true execute without any user prompt. The sandbox bypass is silently auto-approved alongside the tool itself.
The core problem: autoAllowBashIfSandboxed grants auto-approval because the sandbox is protecting the user. But dangerouslyDisableSandbox: true removes that protection — and the auto-approval still carries through. The precondition for the trust no longer holds, yet the trust persists.
Steps to Reproduce
- Enable sandbox with auto-allow mode (
/sandbox→ option 1) - Add
Bashtopermissions.allowin~/.claude/settings.json:
``json``
{
"permissions": {
"allow": ["Bash"]
}
}
- Have Claude attempt to write outside the sandbox:
echo "test" > /tmp/sandbox-bypass-test.txt - Sandbox blocks it correctly:
operation not permitted - Claude retries with
dangerouslyDisableSandbox: true - Command executes — no prompt shown, file is written
Expected Behavior
dangerouslyDisableSandbox: true should trigger a separate permission prompt, regardless of auto-allow status. Sandbox bypass is a different security decision from tool approval. The auto-allow is predicated on the sandbox being active — removing the sandbox should invalidate the auto-allow.
Actual Behavior
Command runs silently. User has no visibility that the sandbox was bypassed.
Environment
- Claude Code CLI version: 2.1.77
- Platform: macOS 26.0.1
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗