# [BUG][security] Cowork default working directory forces Documents-level (parent-folder) macOS permission grant — least-privilege violation

Open 💬 0 comments Opened Jun 16, 2026 by vsteppe

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Component

Claude Desktop — Cowork (research preview)

Environment

  • App: Claude Desktop for macOS
  • Version / build: 1.12603.1 (3df4fd)
  • macOS version: Sequoia 15.7.4
  • Hardware: Apple Silicon M2
  • Plan: <FILL IN — Pro / Max / Team / Enterprise>

Severity

High — security/privacy. Affects the permission boundary, not a cosmetic or capability issue.

Summary

On first Cowork use, the app requests access to the entire ~/Documents folder rather than to a dedicated, sandboxed working directory. Because macOS TCC scopes the Documents folder as a single all-or-nothing unit, granting Cowork its working directory necessarily grants read/write/delete over every file already in ~/Documents. The default working location places an agent with delete authority inside a primary user data store. This is a least-privilege violation in the default configuration.

Impact

  1. Blast-radius amplification. Cowork executes model-driven, multi-step file operations including permanent deletion (per Anthropic's own safety docs). Defaulting the working directory into ~/Documents sets the maximum blast radius of any erroneous or adversarial action to the user's entire Documents store rather than to an isolated sandbox. The harness permission scope is the control that bounds the cost of every downstream model error; an over-broad default multiplies that cost.
  2. Over-provisioning by default. The defect exists independent of whether any given user grants the request. A default that requests more than the function requires is the precondition for abuse, regardless of whether exposure has yet occurred.
  3. Documented-but-unenforced guidance. Anthropic's own safety documentation instructs users to "create a dedicated working folder rather than granting broad access." The product default contradicts this published guidance and offloads the mitigation onto the user.

Related / compounding defects

  • #57177 — no configurable workspace base path; default location not user-overridable.
  • #54138 — artifacts folder hardcoded; ignores user-selected folder.
  • #27162 — revoking Documents access via macOS System Settings → Privacy & Security → Files and Folders does not prevent a subsequent session from accessing a previously mounted subfolder. This defeats user-initiated revocation and means the over-broad grant cannot be reliably withdrawn.
  • #46205 — "Always allow" permission prompts not persisting within a session.

The combination of an over-broad default grant (#57177/#54138) and unreliable revocation (#27162) means the permission boundary is neither minimal at grant time nor reliably retractable afterward.

What Should Happen?

Requested resolution

  1. Change the default working directory to an isolated location outside all TCC-protected user folders.
  2. Never request ~/Documents, ~/Desktop, or home-directory access as part of default setup.
  3. Make the working directory user-configurable before first grant (resolves #57177).
  4. Ensure macOS-level permission revocation fully tears down all session mounts (resolves #27162).

Error Messages/Logs

Steps to Reproduce

Steps to reproduce

  1. Install Claude Desktop (macOS) and enable Cowork.
  2. Start a first Cowork session.
  3. Observe the macOS folder-access permission prompt presented during setup/first file operation.

Expected behavior

The default working directory is a dedicated, isolated folder created outside any TCC-protected user location (e.g. ~/Cowork or an app-scoped container). The permission prompt is scoped to that folder alone. Access to ~/Documents, ~/Desktop, or other pre-existing user data stores is never requested by default and only occurs if the user explicitly connects such a folder.

Actual behavior

The default working directory resolves inside ~/Documents (reported as hardcoded to ~/Documents/Claude in #57177 / #54138). To function, Cowork must satisfy the macOS Documents-folder TCC permission, which is all-or-nothing: the grant covers the entire ~/Documents tree, not a subfolder. The user is therefore presented with a binary choice between (a) granting an agent with delete capability access to their full Documents store, or (b) denying and being unable to use the default configuration.

Claude Model

Opus

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

Cowork App

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗