Permissions bypassed and not persisted in VS Code/Cursor extension

Resolved 💬 6 comments Opened Mar 18, 2026 by aaronsegstro Closed Apr 3, 2026

Environment

  • IDE: Cursor (VS Code fork) — reproduced by multiple users, both local and SSH remote setups
  • Host OS: macOS (Darwin 25.3.0)
  • Auth: Enterprise login
  • Claude Code extension version: 2.1.78

Bug Description

Two related permission issues when using the Claude Code extension in Cursor:

1. Commands execute without permission prompts despite not being in the allow list

Commands like rm are executed without any permission prompt, even though they are not listed in ~/.claude/settings.json permissions.allow. This is a security concern — the permission system appears to be bypassed.

2. "Allow for all projects" does not persist

When clicking "Allow for all projects" on a permission prompt (e.g., for bq ls), the permission is not written to ~/.claude/settings.json. The next time the same command runs, it prompts again (when prompts do appear). No project-level settings files are created either (~/.claude/projects/*/settings.json).

Expected Behavior

  1. Commands not in the allow list should always trigger a permission prompt before execution.
  2. Clicking "Allow for all projects" should persist the permission to ~/.claude/settings.json.

Steps to Reproduce

  1. Open a project in Cursor with the Claude Code extension
  2. Ensure rm (or another potentially destructive command) is not in ~/.claude/settings.json allow list
  3. Ask Claude to run that command
  4. Observe: command executes without a permission prompt
  5. For a command that does prompt, click "Allow for all projects"
  6. Check ~/.claude/settings.json — no new entry is added

Additional Context

  • Reproduced by multiple team members on an enterprise plan, not specific to SSH remote setups
  • ~/.claude/policy-limits.json does not contain any permission-related restrictions
  • Manually editing ~/.claude/settings.json to add allow entries works correctly — the file is being read, just not written to
  • Enterprise auth (not personal API key)

Impact

This is a security-relevant bug. The permission system is a key safety mechanism, and having it silently bypassed undermines user trust and safety guarantees. Users may not realize their allow/deny lists are not being enforced.

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗