Claude Code Has Been Reading Your Database Password This Whole Time

I recently had a concerning moment while using Claude Code. I typed /init to initialize the tool in my fresh project, and during development something unexpected happened - Claude Code attempted to read my .env file. My heart skipped a beat. # What I saw Claude Code is reviewing your .env file... Why was this alarming? Environment variables often contain: Database credentials API keys for third-party services Cloud provider secrets (AWS, GCP, Azure) Authentication tokens Even if these are "just" dev or UAT environment secrets, exposure is still a serious security concern. The Vulnerability History My concern wasn't paranoid. Researching further, I discovered that Claude Code has had several security vulnerabilities: CVE-2026-25724 : A symbolic link bypass that allowed reading restricted files Issue : Indirect Bash commands could still access files even with deny rules Broken .claudeignore : The .claudeignore file, which was supposed to block file access like .gitignore , simply didn't