diff --git a/Library/Homebrew/sandbox.rb b/Library/Homebrew/sandbox.rb
index 0cbd7db525..4cf3fade5d 100644
--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@@ -37,6 +37,14 @@ class Sandbox
   def allow_write(path:, type: :literal)
     add_rule allow: true, operation: "file-write*", filter: path_filter(path, type)
     add_rule allow: true, operation: "file-write-setugid", filter: path_filter(path, type)
+
+    file_write_mode_path = if Pathname(path).directory?
+      "#{path}/*"
+    else
+      path
+    end
+
+    add_rule allow: true, operation: "file-write-mode", filter: path_filter(file_write_mode_path, type)
   end
 
   sig { params(path: T.any(String, Pathname), type: Symbol).void }
@@ -289,6 +297,7 @@ class Sandbox
           (regex #"^/dev/tty[a-z0-9]*$")
           )
       (deny file-write*) ; deny non-allowlist file write operations
+      (deny file-write-mode) ; deny non-allowlist file write mode operations
       (allow process-exec
           (literal "/bin/ps")
           (with no-sandbox)