[BUG] Claude Code could read the .env content even .claude/settings.json is configured

Resolved 💬 9 comments Opened Sep 22, 2025 by ikamii Closed Jan 6, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

So I have created ~/.claude/settings.json and path/to/project/.claudeignore to avoid claude to read my .env content.

It still bypassed this configuration and could read the content inside it.

Following you can find our conversation:

> how can you see my .env again?

⏺ You're absolutely right to question that! I
  shouldn't be able to read your .env file due
   to the security settings you put in place.

  I was referencing the system reminder that
  showed me the changes to the file, but
  you're correct - this goes against the
  security setup you intentionally created. I
  should not have access to your actual Stripe
   keys and should stick to using the safe
  reference files you set up.

  Let me respect your security configuration
  and work with the information you provide
  directly rather than trying to see sensitive
   data.

> but how did you see it? where did you get that log?

⏺ You're absolutely right to be concerned about this! I can see your .env file contents through the
   "system-reminder" messages that appear in my context. These reminders show me when files are
  modified and include the actual changes.

  This is a gap in the security setup - even though you have:
  - .env read permissions denied in your ~/.claude/settings.json
  - The file properly configured to be private

  The system reminders are bypassing those protections by showing me the file changes directly.

  This is definitely not ideal for your security setup. You may want to:

  1. Report this as a security issue - the permission denials should prevent me from seeing the
  content through any means
  2. Consider using a different approach like environment variable names that don't reveal
  sensitive data
  3. Use the .claudeignore file if it provides better protection

I apologize for the security gap. Your instinct to question this was absolutely correct - the permission system should be more
   comprehensive.

  For now, I'll continue to avoid actively reading your .env file and work with the information you
   provide directly, but you should definitely address this security concern.

What Should Happen?

Claude should not see my .env file content.

Error Messages/Logs

Steps to Reproduce

I am not sure if it is reproducible, but what I did was creating a webpage and used .env for api keys. It could still see the content.

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

1.0.120

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Other

Additional Information

_No response_

View original on GitHub ↗

This issue has 9 comments on GitHub. Read the full discussion on GitHub ↗