[BUG] CCR v2 network sandbox blocks MCP stdio server outbound calls — regression from CCR v1

Resolved 💬 3 comments Opened May 17, 2026 by kk82i Closed May 20, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report
  • [x] I am using the latest version of Claude Code

What's Wrong?

After migration to CCR v2, MCP servers that make outbound HTTP calls (tavily-mcp,
@upstash/context7-mcp) are completely broken. All external hosts except
api.anthropic.com and registry.npmjs.org return "Host not in allowlist".

This worked in previous sessions on CCR v1. No config changes were made.
Setting network egress to "All domains" in Settings → Capabilities has no effect.

Environment

  • Claude Code Version: 2.1.42
  • Entrypoint: remote_desktop (cloud web session)
  • CLAUDE_CODE_USE_CCR_V2: true
  • Runner: release-b5ac58d65-ext

Steps to Reproduce

  1. Configure tavily-mcp or any MCP server that makes outbound API calls in .mcp.json
  2. MCP server process starts successfully (npm registry is reachable)
  3. Any outbound call from the MCP server returns 403 host_not_allowed
  4. Setting "Allow network egress → All domains" in Settings → Capabilities has no effect

What Should Happen?

MCP stdio servers should be able to make outbound API calls. Previously this worked.
If network sandboxing is intentional in CCR v2, the "Allow network egress" setting
should actually override it — currently it does nothing.

Related Issues

  • #30112 (network egress allowlist not working in Cowork)

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗