Security Permissions Bypass in Bash File Access Restrictions

Resolved 💬 7 comments Opened Aug 18, 2025 by unwnu Closed Jan 13, 2026

Bug Description
Bug Report: Claude Code Security Permissions Bypass

Summary:
Security permissions configured in .claude/settings.json can be
bypassed when using indirect file access through Bash
commands, allowing access to restricted files that should be
denied.

Steps to Reproduce:

  1. Configure .claude/settings.json with deny permissions:

{
"permissions": {
"deny": [
"Read(appsettings)",
"Edit(appsettings)",
"Write(appsettings)",
"Bash(appsettings)"
]
}
}

  1. Attempt direct file access using Read tool - correctly

denied

  1. Use indirect Bash commands that access the same restricted

files:

  • find /path -name "*.json" -exec grep -l "pattern" {} \;
  • grep -A5 -B2 "pattern" /path/to/appsettings.json

Expected Behavior:
All Bash commands accessing files matching the appsettings
pattern should be blocked according to the
"Bash(appsettings)" rule.

Actual Behavior:
Bash commands successfully execute and return content from
restricted files, bypassing the security permissions.

Security Impact:
This allows Claude to access sensitive configuration files
(like database connections, API keys, etc.) that users
explicitly intended to restrict, potentially exposing
confidential information.

Environment:

  • Claude Code CLI
  • Model: claude-opus-4-1-20250805
  • Platform: macOS (Darwin 24.6.0)

Environment Info

  • Platform: darwin
  • Terminal: tmux
  • Version: 1.0.83
  • Feedback ID: 2ba205a2-08b0-49b8-8b5b-29c6ab956cd5

View original on GitHub ↗

This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗