/model silently wipes sandbox allowlist - security issue

Resolved 💬 5 comments Opened Apr 7, 2026 by askldjd Closed May 24, 2026

Related to #22659 (locked) and #17982. Filing separately because the security angle didn't survive those being closed as config persistence bugs.

What happens

Using /model rewrites ~/.claude/settings.json from scratch. Anything in permissions.allow is gone. Your sandbox restrictions just stop being enforced.

Steps to reproduce

  1. Add network/file restrictions to ~/.claude/settings.json via sandbox.network.allowedHosts.
  2. Use /model to switch models
  3. Check settings.json — the allowedHosts is gone

Why this matters

Sandbox restrictions aren't config preferences, they're access controls. If they get silently wiped by a model switch, you might not notice until something that should've been blocked gets through.

This got closed as a dup twice already. I think this deserve a higher priority review because there is a serious security element involved.

Version

Claude Code 2.1.92
Fedora 43

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗