Unauthorized File Access Bypass in Claude Code

Resolved 💬 3 comments Opened Jul 30, 2025 by Liam-Fitzpatrick Closed Aug 15, 2025

Bug Report: Permission Deny Rules Not Applied Consistently Across File Paths

Summary

Permission deny rules for file reading are not consistently enforced when the same file is accessed through
different absolute paths.

Environment

  • Platform: Linux (WSL2)
  • OS Version: Linux 5.15.146.1-microsoft-standard-WSL2
  • Multiple working directories configured

Steps to Reproduce

  1. Add deny rule with glob pattern: Read(**/sensitive*.json)
  2. Attempt to read the same file through different absolute paths:
  • Path A: /mnt/c/path/to/project/sensitive.json
  • Path B: /home/user/path/to/project/sensitive.json

Expected Behavior

All paths pointing to files matching the glob pattern should be denied access consistently.

Actual Behavior

  • Some paths are correctly denied access
  • Other paths to the same file are incorrectly allowed access
  • Behavior is inconsistent between different absolute paths

Impact

This allows sensitive files to be read despite deny rules being in place, creating a security vulnerability.
Users may believe their files are protected when they are actually accessible through alternative paths.

Additional Notes

  • The issue occurs when multiple paths point to the same physical file
  • This may be related to how WSL2 handles multiple mount points or symlinks
  • The permission system appears to evaluate paths differently depending on how they're accessed

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗