Claude Dynamic Workflows use Incorrect Permissions

Subagents spawned by Claude Dynamic Workflows inherit command approval modes from the user’s session, despite documentation explicitly stating “subagents the workflow spawns always always run in acceptEdits mode… regardless of the user’s session mode”.

Note: ‘acceptEdits’ is a restricted mode that allows only limited file editing without user approval.

As a result, subagents spawned by workflows can execute with unintended elevated permissions, such as in Auto or BypassPermissions modes. This exposes a risk of untrusted shell command execution, MCP invocation, network egress, edits outside the sandbox, and edits to sensitive protected file paths.

This has been validated on the latest version of Claude Code, Version 2.1.168. Claude Dynamic Workflows will be enabled by default for all users as of June 8, 2026.

How Organizations Can Disable Dynamic Workflows

Organizations can disable access to dynamic workflows by setting "disableWorkflows": true in:

Organization settings > Claude Code > Managed settings (settings.json)

Or, by disabling workflows in:

Organization settings > Claude Code > toggle off Workflows

Dynamic workflows can also be disabled at the role level by navigating to:

Organization settings > People > Roles > edit a role or create a new one > Capabilities > Claude Code > disable Workflows.