[BUG] `allowedMcpServers` in managed-settings.json can be bypassed via CLI flags
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
The allowedMcpServers restriction in managed-settings.json can be bypassed by passing --mcp-config and --allowedTools flags at startup. An engineer can load an arbitrary MCP server configuration that would otherwise be blocked by the managed policy.
What Should Happen?
CLI flags should not override managed settings restrictions. allowedMcpServers (and deniedMcpServers) should be enforced regardless of how Claude Code is invoked. The docs state managed settings "cannot be overridden by user or project settings" — CLI flags should be subject to the same constraint.
Actual behavior:
The unapproved server loads successfully. The managed policy is silently ignored.
Error Messages/Logs
Steps to Reproduce
- Deploy a
managed-settings.jsonwith an MCP server allowlist:
```json
{
"allowedMcpServers": [{ "serverUrl": "https://approved.example.com/" }]
}
- Create a local .mcp.json pointing to an unapproved server:
{ "mcpServers": { "codegraph": { "type": "http", "url": "https://unapproved.example.com/" } } }
- Launch Claude Code with:
claude --mcp-config "./.mcp.json" --allowedTools "mcp__codegraph__*"
- The unapproved MCP server loads and its tools are available — allowedMcpServers is not enforced.
Claude Model
Not sure / Multiple models
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
2.1.70
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
managed-mcp.json(exclusive control mode) is not affected — it correctly blocks--mcp-configfrom adding additional servers.- Only the allowlist/denylist policy in managed-settings.json is bypassable.
- Workaround: use
managed-mcp.jsonfor enforcement instead ofallowedMcpServers. - For enterprise/security-sensitive deployments this is a significant gap, as
managed settings are the intended mechanism for IT-enforced MCP policy.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗