[BUG] Security: denyRead in sandbox not working

Resolved 💬 5 comments Opened May 21, 2026 by collimarco Closed Jun 21, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

There is no way to prevent Claude Code from reading any file on the filesystem:

{
  "theme": "auto",
  "model": "opus",
  "sandbox": {
    "enabled": true,
    "failIfUnavailable": true,
    "allowUnsandboxedCommands": false,
    "autoAllowBashIfSandboxed": false,
    "filesystem": {
      "denyRead": ["//**"],
      "allowRead": [
        "~/Sites/example"
      ]
    }
  }
}

That settings in ~/.claude/settings.json should work, but Claude can still read files anywhere on the filesystem, and not just in the allowed directories.

What Should Happen?

Claude should respect the "denyRead": ["//**"] rule.

We also tried many variants like "denyRead": ["/"] and "denyRead": ["~/"] but nothing works.

Error Messages/Logs

Steps to Reproduce

  1. Create the above config file
  2. Try to read a file

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.140 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Please provide a reliable solution to prevent Claude Code from reading all files on the filesystem.

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗