[BUG] Deny rules for Glob and Grep tools are bypassed when using the `path` parameter
Resolved 💬 3 comments Opened Mar 19, 2026 by f5sh Closed Apr 30, 2026
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Permission deny rules for the Glob and Grep tools are not enforced when the restricted directory is passed via the path parameter instead of being part of the pattern parameter. This allows access to files in explicitly denied directories.
What Should Happen?
The Glob call should be blocked by the deny rule. Claude should not be able to list or access any files under e.g. /Users/username/Private/.
Error Messages/Logs
Steps to Reproduce
- Add deny rules in
~/.claude/settings.jsonfor a directory:
{
"permissions": {
"deny": [
"Glob(/Users/username/Private/**)",
"Grep(/Users/username/Private/**)"
]
}
}
- Ask Claude to list files in
/Users/username/Private/
- Claude calls the Glob tool with:
path=/Users/username/Privatepattern=*
- The call succeeds and returns all files in the denied directory.
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.78 (Claude Code)
Platform
Other
Operating System
macOS
Terminal/Shell
Other
Additional Information
- OS: macOS (Darwin 25.3.0)
- Shell: zsh
- Model: claude-opus-4-6
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗