[BUG] Security: permissions.deny rules not working

Resolved 💬 4 comments Opened May 21, 2026 by collimarco Closed Jul 7, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Claude can read an example.key file (or any other key file) inside the project directory even if the ~/.claude/settings.json clearly forbids that:

{
  "theme": "auto",
  "model": "opus",
  "sandbox": {
    "enabled": true,
    "failIfUnavailable": true,
    "allowUnsandboxedCommands": false,
    "autoAllowBashIfSandboxed": false,
    "filesystem": {
      "denyRead": ["//**"],
      "allowRead": [
        "~/Sites/example"
      ]
    }
  },
  "permissions": {
    "deny": [
      "Read(/**/*.key)"
    ]
  }
}

What Should Happen?

Claude should not be able to read those sensitive files, and should respect permissions.

Error Messages/Logs

Steps to Reproduce

  1. Create that ~/.claude/settings.json file with the content above
  2. Create an example.key file in the project directory
  3. Ask Claude to read that file

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.140 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗