Claude Code's Deny Rules Silently Bypassed After Source Code Leak
Security firm Adversa AI discovers that Claude Code's deny rules are silently disabled when a command contains 50+ subcommands, letting attackers steal credentials.
Vlad Makarovreviewed and published
Fifty subcommands. That's all it took to make Claude Code forget every security rule its user had configured. Tel Aviv-based Adversa AI discovered the vulnerability after poring through the source code that Anthropic accidentally published last week — and what they found is the kind of flaw that keeps security engineers awake at night.
What Happened
Claude Code lets developers set "deny rules" — hard blocks that prevent the AI agent from executing specific commands, like reading SSH keys or exporting environment variables. These rules are supposed to be absolute. But buried in bashPermissions.ts was a hard-coded constant: MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50. Any command pipeline exceeding that threshold caused the security checker to silently fall back from "deny" to "ask," presenting the user with a generic approval prompt and no indication that their security policy had been bypassed.
The irony is painful: the limit existed as a performance fix. Complex piped commands were freezing the UI, so someone capped the parser at 50 subcommands. Anthropic's engineers had actually built a proper solution using a tree-sitter parser, but it was never shipped to public builds.
The attack vector is straightforward. A malicious CLAUDE.md file planted in a repository could instruct Claude Opus 4.6 to generate a pipeline with 50+ subcommands — chaining together innocuous-looking operations that ultimately exfiltrate SSH keys, AWS credentials, or npm tokens. The user would see only a vague permission dialog, stripped of context about what was actually being blocked.
Why This Matters
Claude Code generates an estimated $2.5 billion in annual recurring revenue and is used by over 500,000 developers. A Reddit post titled "Claude bypassing permissions" scored 7,524 upvotes with 483 comments, making it the biggest thread of the week — a sign that the developer community takes this seriously.
Adversa AI also flagged a separate workspace trust bypass tracked as CVE-2026-33068, compounding concerns about Claude Code's security posture just as Anthropic pushes the tool deeper into enterprise workflows.
What's Next
Anthropic patched the vulnerability in Claude Code v2.1.90, released around April 2. The fix reportedly deploys the tree-sitter parser that had been sitting in the codebase unused. Developers running older versions should update immediately — especially anyone who relies on deny rules to protect sensitive credentials in shared or open-source repositories.
