[BUG] MCP Permission Bypass Regression - Post-Outage Issue Affecting Multiple Accounts

Resolved 💬 3 comments Opened Oct 3, 2025 by cbulm84 Closed Jan 23, 2026

Environment

  • Platform: Claude Desktop & claude.ai web interface
  • Claude CLI version: 1.0.74+ (Claude Code CLI works correctly)
  • Operating System: Windows 11 (confirmed across multiple systems)
  • Affected Services: Claude Desktop, claude.ai web interface

Regression Summary

The MCP tool permission bypass issue has returned as a regression following the October 2-3, 2025 system outages. This is a critical escalation of previously reported issues that were thought to be resolved.

Timeline of Events

August 12, 2025:

  • Original issue reported: #5631
  • Behavior: MCP tools bypassing permission prompts
  • Scope: Account-specific (single user account affected)
  • Status: Closed as duplicate of #5749

August 14, 2025:

  • Duplicate issue created: #5749
  • Status: STILL OPEN (unresolved)

August - September 2025:

  • Issue temporarily self-resolved
  • Permission prompts worked correctly during this period
  • Users regained normal control over MCP tool execution

October 2-3, 2025:

  • Major Anthropic system outages (source):
  • October 2: "Claude.ai Connectors are Unhealthy" (resolved 17:31 UTC)
  • October 3: "Claude.ai, Claude Code, API, and console are experiencing degraded service" (resolved 05:16 UTC)
  • Multiple hours of complete system failure affecting all Anthropic services
  • Sporadic recovery over several hours

October 3, 2025 (Post-Outage):

  • Issue has regressed - MCP permission bypass returned immediately after services restored
  • Scope expanded - Now affecting multiple separate accounts (not account-specific anymore)
  • Severity increased - Complete disregard for all permission settings across platforms

---

Bug Description

ALL MCP tools execute automatically without permission prompts in Claude Desktop and claude.ai web interface, completely ignoring user-configured permission settings. This affects multiple independent accounts and occurs regardless of:

  • Permission settings configuration ("Always ask permission" is ignored)
  • MCP server type (affects all: Windows MCP, Context7, Playwright, GitHub, etc.)
  • Configuration method (claude_desktop_config.json or web/desktop connectors)
  • Device or browser (issue follows accounts across all devices)

Working Platforms

  • Claude Code CLI - Permission prompts work correctly
  • Claude.ai mobile/phone - Works correctly (per #5749)

Broken Platforms

  • Claude Desktop - No permission prompts, tools auto-execute
  • Claude.ai web interface - No permission prompts, tools auto-execute

---

Critical Changes from Previous Reports

Scope Expansion

Previously (August 2025):

  • Issue was account-specific
  • Affected single user account only
  • Creating new test account provided working permissions (workaround viable)

Currently (October 3, 2025):

  • Issue affects multiple independent accounts
  • Newly created accounts also affected
  • No viable workaround - permission bypass is system-wide across accounts
  • Suggests platform-level issue rather than account-level configuration

Impact on Users

Users have been forced to create multiple accounts to maintain productive workflows, but this workaround is no longer viable as the issue now affects all accounts simultaneously.

---

Related Issues & Status

| Issue | Title | Status | Notes |
|-------|-------|--------|-------|
| #5749 | MCP Tool Permission System Broken in Claude.ai Web Interface | OPEN | Primary issue, still unresolved |
| #5631 | MCP tools bypass permission prompts on Max account | Closed (duplicate) | My original report, Aug 12 |
| #5307 | MCP Enablement Dialog Bypassed in Bypass Permission Mode | Closed (duplicate) | Aug 7, mentioned by bot |

All duplicate issues were closed and referred to #5749, which remains OPEN and UNRESOLVED.

---

Steps to Reproduce

  1. Configure any MCP server in Claude Desktop or claude.ai web interface
  2. Set permissions to "Always ask permission" in settings
  3. Request Claude to use any MCP tool
  4. Observe: Tool executes immediately without permission prompt

Test across multiple accounts:

  1. Create new/separate Anthropic account
  2. Configure MCP tools with "Always ask permission"
  3. Observe: Same behavior - tools execute without prompts

---

Expected Behavior

  1. MCP tool requires execution
  2. Permission dialog appears: "Allow Claude to use [Tool] to [action]? Allow / Deny"
  3. User explicitly approves or denies
  4. Tool executes only after user approval

---

Actual Behavior

  1. MCP tool requires execution
  2. No permission dialog appears
  3. Tool executes immediately without user consent
  4. Zero user control over tool execution
  5. All permission settings are completely ignored

---

Evidence of Post-Outage Regression

Anthropic System Status (October 2-3, 2025)

From status.claude.com:

October 2, 2025:

Claude.ai Connectors are Unhealthy
- Investigating: 16:47 UTC - "Unable to connect to Claude.ai Connectors / MCP"
- Identified: 16:56 UTC
- Monitoring: 16:59 UTC
- Resolved: 17:31 UTC

October 3, 2025:

Claude.ai, Claude Code, API, and console are experiencing degraded service
- Investigating: 01:26 UTC
- Multiple updates through the night
- Partially recovered: 02:53 UTC - "Claude.ai is back up. API and Claude Code are partially back"
- Resolved: 05:16 UTC

Timeline Correlation:

  • Services restored: October 3, ~05:16 UTC
  • Permission bypass regression observed: Immediately upon service restoration
  • Issue persists: October 3, 2025 (current)

---

Business & Security Impact

User Control & Safety

  • Complete loss of user consent - Tools execute without permission
  • No way to prevent potentially destructive operations
  • False security - Users believe they have protection via settings
  • Trust violation - Application ignores explicit user security preferences

Operational Impact

  • Multiple account requirement - Users forced to maintain separate accounts for basic functionality
  • Workflow disruption - Cannot use MCP tools safely in production environments
  • Account management burden - Workaround no longer viable as issue spreads to all accounts

Enterprise & Business Concerns (per #5749)

  • Blocks MCP adoption for enterprise use cases
  • Prevents demonstration of "AI with human oversight" model
  • Creates liability concerns for automated operations
  • Undermines MCP ecosystem confidence

---

System Information

Confirmed Affected:

  • Multiple independent Anthropic accounts (at least 2 confirmed)
  • Windows 11 systems
  • Claude Desktop application (latest version)
  • claude.ai web interface (all browsers)
  • All MCP server types tested

Confirmed Working:

  • Claude Code CLI v1.0.74+
  • Claude.ai mobile interface

---

Troubleshooting Already Attempted

  • ✅ Cleared all cache and cookies
  • ✅ Signed out of all devices
  • ✅ Reset/restarted computer multiple times
  • ✅ Tested on multiple different computers
  • ✅ Deleted and re-added MCP tools
  • ✅ Verified all permission settings set to "Always ask permission"
  • ✅ Created new/separate accounts (no longer provides working permissions)
  • ✅ Tested across different MCP servers (all affected)

No troubleshooting steps have resolved the issue.

---

Requested Actions

Immediate (P0 - Critical)

  1. Acknowledge post-outage regression - Confirm awareness of issue returning after October 2-3 outages
  2. Emergency investigation - Determine what changed during outage/recovery that broke permissions
  3. Rollback consideration - If recent changes caused regression, consider rollback
  4. User notification - Inform users that permission settings are not being respected

Short-term

  1. Fix deployment - Restore permission prompt functionality to Claude Desktop and web interface
  2. Account audit - Investigate why issue now affects multiple accounts vs. previously being account-specific
  3. Testing - Comprehensive testing of permission system across all platforms before re-release

Long-term

  1. Monitoring - Implement alerts to detect permission system failures
  2. Regression testing - Add automated tests to prevent future permission system regressions
  3. Architecture review - Ensure permission controls are resilient to service outages/restarts

---

Additional Context

This is a regression of a known, unresolved issue (#5749). The fact that it returned immediately after the October 2-3 system outages strongly suggests:

  1. A configuration or setting was lost/corrupted during the outage
  2. A recent code change was deployed during recovery that reintroduced the bug
  3. A service dependency relationship changed that affects permission handling

The expansion from account-specific to multi-account scope indicates this may now be a platform-wide configuration issue rather than an individual account flag problem.

---

Labels Requested

  • bug
  • area:mcp
  • area:security
  • regression
  • P0 or critical

---

This is a critical security and user control issue that requires urgent attention. Users have no mechanism to prevent potentially destructive MCP tool operations when the permission system is non-functional.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗