Apex User Mode and Sharing Enforced by Default (API v67)

Summer '26 shifts Apex's security defaults for API v67+, making user mode and sharing enforcement the baseline rather than something developers must explicitly declare.

Where

Applies to all new Apex classes, triggers, and anonymous code written using API version 67.0 or higher. Existing code on lower API versions is unaffected.

How

Database operations (SOQL, DML) now run in user mode by default, respecting field-level security and object permissions. Apex classes default to "with sharing" instead of "without sharing." Triggers always run in system mode regardless of API version. The deprecated WITH SECURITY_ENFORCED SOQL clause must be replaced with WITH USER_MODE.

Why

Previous defaults required developers to explicitly add security declarations, making it easy to accidentally write code that bypassed field and object permissions. These new defaults reduce the risk of unintended data exposure in new code.