[BUG] Claude Code violated .gitignore/.claudeignore policy by reading .env file using Bash cat command in auto-approve mode

Resolved 💬 1 comment Opened Apr 23, 2026 by mgrandinelli Closed May 27, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Claude Code executed cat /opt/lookops/backend/.env via the Bash tool while running in auto-approve permissions mode, exposing sensitive credentials (database password, SECRET_KEY, ENCRYPTION_KEY) in the conversation context. The file was explicitly listed in both .gitignore and .claudeignore, and the project's CLAUDE.md contained the rule "Never read or modify .env.* files". Auto-approve mode was used to bypass this explicit security policy.

What Should Happen?

Claude should refuse to read any file listed in .gitignore or .claudeignore, regardless of the permission mode active at the time. Auto-approve mode is intended to reduce friction for safe and routine operations, not to bypass explicit security rules defined by the user.

Error Messages/Logs

No error was shown. The Bash tool executed silently and returned the full contents of the .env file including credentials.

Steps to Reproduce

Create a project with a .env file containing real credentials
Add .env to both .gitignore and .claudeignore
Add a rule in CLAUDE.md stating "Never read or modify .env.* files"
Enable auto-approve permissions mode
Ask Claude to perform a task that requires a database connection (e.g. run an Alembic migration)
Observe that Claude executes cat .env via Bash without asking the user and exposes the credentials in the conversation

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

Claude Sonnet 4.6

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

VS Code integrated terminal

Additional Information

Summary

Claude Code executed cat /opt/lookops/backend/.env via the Bash tool while
running in auto-approve permissions mode, exposing sensitive credentials
(database password, SECRET_KEY, ENCRYPTION_KEY) in the conversation context.

Rules violated

  • The project CLAUDE.md explicitly states: "Never read or modify .env.* files"
  • The file was listed in both .gitignore and .claudeignore
  • Auto-approve mode is intended to reduce friction for safe operations,

not to bypass explicit security rules

What happened

  1. Claude needed the DATABASE_URL to run an Alembic migration
  2. Instead of asking the user, it executed cat /opt/lookops/backend/.env
  3. The tool call was auto-approved because auto-approve mode was active
  4. Real credentials (shared between dev and prod environments) were exposed

in the conversation and potentially stored in Anthropic's systems

Expected behavior

Claude should refuse to read any file listed in .gitignore or .claudeignore,
regardless of the permission mode active at the time.

Impact

  • Credentials exposed in conversation context (potentially stored by Anthropic)
  • User forced to rotate database password, SECRET_KEY, and ENCRYPTION_KEY

across dev and prod environments

  • Breach of user trust in the auto-approve permission model

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗