[BUG] Security: denyRead in sandbox not working
Resolved 💬 5 comments Opened May 21, 2026 by collimarco Closed Jun 21, 2026
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
There is no way to prevent Claude Code from reading any file on the filesystem:
{
"theme": "auto",
"model": "opus",
"sandbox": {
"enabled": true,
"failIfUnavailable": true,
"allowUnsandboxedCommands": false,
"autoAllowBashIfSandboxed": false,
"filesystem": {
"denyRead": ["//**"],
"allowRead": [
"~/Sites/example"
]
}
}
}
That settings in ~/.claude/settings.json should work, but Claude can still read files anywhere on the filesystem, and not just in the allowed directories.
What Should Happen?
Claude should respect the "denyRead": ["//**"] rule.
We also tried many variants like "denyRead": ["/"] and "denyRead": ["~/"] but nothing works.
Error Messages/Logs
Steps to Reproduce
- Create the above config file
- Try to read a file
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.140 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
Please provide a reliable solution to prevent Claude Code from reading all files on the filesystem.
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗