Hardcoded UNC path block cannot be bypassed, even with --dangerously-skip-permissions / bypassPermissions mode

Resolved 💬 4 comments Opened Apr 21, 2026 by AndyHaack Closed Apr 24, 2026

Summary

When the working directory is a UNC path (e.g. \\tsclient\C\..., which is legitimate for Hyper-V VMs using Terminal Services drive redirection), Claude Code prompts for every tool invocation and subdirectory access. bypassPermissions mode, --allow-dangerously-skip-permissions, additionalDirectories, and VSCode's security.allowedUNCHosts all have no effect. The CLI contains a hardcoded check:

if (f.startsWith("//") || /DavWWWRoot/i.test(f) || /@SSL@/i.test(f))
  return { allowed: false,
           decisionReason: { type: "other",
             reason: "UNC paths are blocked because they can trigger network requests and credential leakage" }};

and a companion check for Bash commands:

if (FB(q)) return { behavior: "ask",
  message: "Command contains Windows UNC path that could be vulnerable to WebDAV attacks" };

Environment

  • VSCode extension anthropic.claude-code-2.1.116-win32-x64
  • Windows 10 guest inside Hyper-V, project accessed via \\tsclient\C\... drive redirect from Windows 11 host
  • VSCode setting security.allowedUNCHosts: ["tsclient"] set (no effect on Claude Code)

Why this is a real use case

The UNC mount is intentional: the project is also mounted via SMB on a Linux server (Oracle EBS r12) so that binary files (Oracle Forms .fmb) can be compiled directly on the server without transfer. Working from a local copy would break that workflow.

Attempted workarounds (all failed)

  • Directory symlink (mklink /D C:\bz \\tsclient\C\...) — Node/VSCode call realpath before handing CWD to the CLI, so UNC path is restored
  • net use Z: \\tsclient\C — rejected, tsclient isn't an SMB share
  • subst Z: \\tsclient\C — refuses UNC paths by design
  • New-PSDrive -Persist — requires a "remote computer" target
  • Searched the binary for env vars / flags / feature flags to disable the check: none exist

Request

Provide an opt-in escape hatch for trusted UNC hosts — e.g. a CLAUDE_CODE_ALLOW_UNC_HOSTS env var, a permissions.allowedUNCHosts settings entry mirroring VSCode's security.allowedUNCHosts, or a CLI flag. The WebDAV-attack mitigation is reasonable as a default, but should be overridable for users who understand the risk (same pattern as --dangerously-skip-permissions).

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗