[BUG] ask/deny permissions bypassed when Bash command cd's outside the launch directory

Resolved 💬 3 comments Opened Mar 23, 2026 by riccardosarro Closed Mar 26, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report
  • [x] I am using the latest version of Claude Code

What's Wrong?

When a Bash command uses cd to change to a directory outside the project launch directory, ask/deny rules in ~/.claude/settings.json are not enforced — the command executes without any permission prompt.

Note: I'm aware that allowlists/permission rules are not a security boundary, but this is still a correctness bug worth fixing — the rules are simply ignored in this case.

What Should Happen?

ask and deny rules should apply regardless of what working directory the command ends up running in. A cd prefix should not cause permission rules to be skipped.

Steps to Reproduce

  1. Add Bash(testcommand *) to the "ask" section of ~/.claude/settings.json:

``json
{
"permissions": {
"ask": [
"Bash(testcommand *)"
]
}
}
``

  1. Launch Claude Code in a project directory
  2. Ask Claude to run testcommand abc → permission prompt appears ✓
  3. Ask Claude to run cd .. && testcommand abcno prompt, executes directly

Error Messages/Logs

None — the bug is the absence of a prompt.

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Claude Code Version

2.1.81 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

The ask rules in ~/.claude/settings.json are intended to be global (user-level). The fact that they only apply when the working directory stays within the launch directory makes them unreliable — any chained command with cd /outside/project && will silently bypass them.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗