[BUG] `allowedMcpServers` in managed-settings.json can be bypassed via CLI flags

Resolved 💬 3 comments Opened Mar 6, 2026 by akos-lp Closed Apr 4, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The allowedMcpServers restriction in managed-settings.json can be bypassed by passing --mcp-config and --allowedTools flags at startup. An engineer can load an arbitrary MCP server configuration that would otherwise be blocked by the managed policy.

What Should Happen?

CLI flags should not override managed settings restrictions. allowedMcpServers (and deniedMcpServers) should be enforced regardless of how Claude Code is invoked. The docs state managed settings "cannot be overridden by user or project settings" — CLI flags should be subject to the same constraint.

Actual behavior:
The unapproved server loads successfully. The managed policy is silently ignored.

Error Messages/Logs

Steps to Reproduce

  1. Deploy a managed-settings.json with an MCP server allowlist:

```json
{
"allowedMcpServers": [{ "serverUrl": "https://approved.example.com/" }]
}

  1. Create a local .mcp.json pointing to an unapproved server:

{ "mcpServers": { "codegraph": { "type": "http", "url": "https://unapproved.example.com/" } } }

  1. Launch Claude Code with:

claude --mcp-config "./.mcp.json" --allowedTools "mcp__codegraph__*"

  1. The unapproved MCP server loads and its tools are available — allowedMcpServers is not enforced.

Claude Model

Not sure / Multiple models

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

2.1.70

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

  • managed-mcp.json (exclusive control mode) is not affected — it correctly blocks --mcp-config from adding additional servers.
  • Only the allowlist/denylist policy in managed-settings.json is bypassable.
  • Workaround: use managed-mcp.json for enforcement instead of allowedMcpServers.
  • For enterprise/security-sensitive deployments this is a significant gap, as

managed settings are the intended mechanism for IT-enforced MCP policy.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗