Claude Code Bypasses Deny Rules Exposing Vulnerability
Adversa, a Tel Aviv security firm, on April 1, 2026 reported that Claude Code's deny rules can be bypassed when a pipeline exceeds a hard cap of 50 subcommands, letting prompt-injected sequences include blocked commands like curl. The firm supplied a proof-of-concept and said Anthropic already has an internal tree-sitter parser and a one-line change to deny instead of ask; the flaw risks automated approvals and CI/CD pipelines.
Key Points
- 1Demonstrates deny-rule bypass via 50+ subcommand pipelines including curl in Claude Code
- 2Reveals enforcement cap (MAX_SUBCOMMANDS_FOR_SECURITY_CHECK=50) causes fallback to user 'ask' instead of deny
- 3Warns that automated approvals and non-interactive CI/CD runs can allow clandestine network access
Scoring Rationale
High score reflects a novel, actionable security finding with a simple, available fix and clear risks to automated deployments. Score is slightly reduced because the issue currently affects Claude Code deployments specifically and lacks an official Anthropic confirmation.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems