[MODEL]

Resolved 💬 3 comments Opened Oct 18, 2025 by excellentaitech Closed Oct 22, 2025

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude accessed files outside the working directory

What You Asked Claude to Do

I configured file access restrictions in ~/.claude/settings.local.json to deny access to all directories outside of ~/ClaudeCode:

"deny": [
"Read(/Users/r#####/Desktop/)",
"Write(/Users/r#####/Desktop/
)",
"Edit(/Users/r#####/Desktop/)",
"Glob(/Users/r#####/Desktop/
)",
// ... (similar rules for Documents, Downloads, Dropbox, etc.)
]

I then asked Claude to test the restrictions by attempting to read a file from the Desktop directory.

What Claude Actually Did

Despite having explicit deny rules in ~/.claude/settings.local.json, Claude was able to successfully read /Users/r#####/Desktop/.DS_Store.

Expected Behavior

Expected behavior: The Read tool should have been blocked by the deny permission rule.
Actual behavior: The file was read successfully, displaying its full contents.

This confirms the known issue documented in #4768 and #2162 that deny permissions are not properly enforced in Claude Code CLI as of version 2.0.22 (October
2025).

Configuration details:

  • Claude Code CLI version: 2.0.22
  • OS: macOS (Darwin 24.6.0)
  • Config file: ~/.claude/settings.local.json
  • Deny rules properly formatted and saved
  • Rules appear in settings but are not enforced

---
Additional context you might want to add:

The deny rules are visible in the config file, settings appear to be loaded (no errors), but file access restrictions are completely bypassed. This is a
critical security issue as users cannot enforce workspace boundaries as intended by the permissions system.

Files Affected

Read (unexpectedly):
  - /Users/r#####/Desktop/.DS_Store

  This file was successfully read by Claude Code despite explicit deny rules in ~/.claude/settings.local.json blocking Read access to 
  /Users/#####/Desktop/** and all other restricted files

Permission Mode

Accept Edits was ON (auto-accepting changes)

Can You Reproduce This?

Yes, every time with the same prompt

Steps to Reproduce

  1. Add deny rules to ~/.claude/settings.local.json:

"deny": [
"Read(/Users/r#####/Desktop/)",
"Write(/Users/r#####/Desktop/
)",
"Edit(/Users/r#####/Desktop/)",
"Glob(/Users/r#####/Desktop/
)"
]

Claude Model

Sonnet

Relevant Conversation

User: "Please read the file at /Users/r#####/Desktop/.DS_Store to test if the deny rules are working"

  Claude: [Successfully read and displayed the Desktop/.DS_Store file contents]

  Expected: The Read tool should have been blocked with a permission denied error
  Actual: File was read successfully despite explicit deny rules for Desktop/** in settings.local.json

Impact

High - Significant unwanted changes

Claude Code Version

2.0.22 (Claude Code)

Platform

Anthropic API

Additional Context

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗