[BUG] Permission bypass: @ prefix allows reading denied files

Resolved 💬 3 comments Opened Aug 29, 2025 by elifah93 Closed Sep 2, 2025

Environment

  • Platform (select one):
  • [x] Anthropic API
  • [ ] AWS Bedrock
  • [ ] Google Vertex AI
  • [ ] Other: <!-- specify -->
  • Claude CLI version: 1.0.96 (Claude Code)
  • Operating System: macOS (Darwin 24.6.0)
  • Terminal: VS Code

Bug Description

The @ prefix bypasses file permission restrictions in Claude Code. When a file is explicitly denied read permissions, using read @filename allows Claude to access the file anyway, circumventing the intended security controls.

Steps to Reproduce

  1. Configure Claude Code to deny read permissions for a specific file (e.g., .env)
{
  "permissions": {
    "deny": [
      "Read(.env)"
    ]
  }
}
  1. Attempt to read the file normally: read .env - correctly returns "Permission denied"
  2. Use the @ prefix: read @.env - incorrectly allows file access and displays contents

Expected Behavior

The @ prefix should respect the same permission settings as direct file access. If a file is configured to be denied, it should remain inaccessible regardless of the syntax used to reference it.

Actual Behavior

The @ prefix bypasses permission restrictions and allows reading of explicitly denied files, potentially exposing sensitive information like environment variables and secrets.

Additional Context

This is a security-related permission bypass that could expose sensitive files containing secrets, API keys, or other confidential data that users have intentionally restricted.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗