Agent tool subagents can access file paths outside approved permission boundaries

Open 💬 1 comment Opened Jul 3, 2026 by kstewart-eleven

Summary

When the Agent tool spawns Plan or Explore subagents, those agents can read files from paths that are not in settings.json permissions.allow, not declared as working directories, and not in the memory folder — without triggering any permission prompt.

Steps to Reproduce

  1. Configure settings.json with a limited permissions.allow list (e.g. only Read(/Users/kevin/TestData/addresses/**))
  2. Set a working directory to /Users/kevin/claude-projects/TestTooling/
  3. Ask Claude to plan a task involving files in /Users/kevin/git/erad-core/scripts/ (user-directed, approved via tool prompt)
  4. The spawned Plan agent additionally reads files in /Users/kevin/git/qa-api/reporting-api-tests/ — a path not in any approved list and not relevant to the task

Expected Behaviour

Subagents should respect the same permission boundaries as the parent session. Reads to unapproved paths should either be blocked or prompt the user for approval.

Actual Behaviour

The Plan agent accessed /Users/kevin/git/qa-api/reporting-api-tests/ and /Users/kevin/git/qa-iac/fias-simulator/ without prompting. The parent session then incorrectly denied the access had occurred when the user challenged it.

Additional Notes

  • The accessed paths contained no sensitive data in this instance, but the boundary violation is the concern
  • The parent session's denial of the access when challenged is a separate trust issue — the session asserted the agents stayed within scope without verifying their actual activity

Environment

  • Claude Code CLI
  • Model: claude-sonnet-4-6
  • macOS Darwin 25.5.0

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗