Agent tool subagents can access file paths outside approved permission boundaries
Open 💬 1 comment Opened Jul 3, 2026 by kstewart-eleven
Summary
When the Agent tool spawns Plan or Explore subagents, those agents can read files from paths that are not in settings.json permissions.allow, not declared as working directories, and not in the memory folder — without triggering any permission prompt.
Steps to Reproduce
- Configure
settings.jsonwith a limitedpermissions.allowlist (e.g. onlyRead(/Users/kevin/TestData/addresses/**)) - Set a working directory to
/Users/kevin/claude-projects/TestTooling/ - Ask Claude to plan a task involving files in
/Users/kevin/git/erad-core/scripts/(user-directed, approved via tool prompt) - The spawned Plan agent additionally reads files in
/Users/kevin/git/qa-api/reporting-api-tests/— a path not in any approved list and not relevant to the task
Expected Behaviour
Subagents should respect the same permission boundaries as the parent session. Reads to unapproved paths should either be blocked or prompt the user for approval.
Actual Behaviour
The Plan agent accessed /Users/kevin/git/qa-api/reporting-api-tests/ and /Users/kevin/git/qa-iac/fias-simulator/ without prompting. The parent session then incorrectly denied the access had occurred when the user challenged it.
Additional Notes
- The accessed paths contained no sensitive data in this instance, but the boundary violation is the concern
- The parent session's denial of the access when challenged is a separate trust issue — the session asserted the agents stayed within scope without verifying their actual activity
Environment
- Claude Code CLI
- Model: claude-sonnet-4-6
- macOS Darwin 25.5.0
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗