Salesforce Winter ’26: What’s Being Enforced (and What To Do Now)
Upgrade windows: Salesforce rolls out Winter ’26 across three weekends — September 19, October 3, and October 10, 2025 (exact timing varies by instance). Check your org’s date on the Maintenance Calendar.
At Cloud Scrums, we keep your Salesforce org compliant and interruption-free. Winter ’26 includes several enforced changes that can affect access, automations, and integrations. Here’s the short list, what it means, and what to do next, backed only by Salesforce documentation.
1) Restrict User Access to Run Flows — Enforced in Winter ’26
What’s changing
Users will need the explicit permission to run each flow. Broad/implicit access no longer works once enforcement hits your org. Salesforce+1
Action steps
Inventory who launches each high-traffic Flow (Screen & Autolaunched).
Assign Run Flows (and narrower flow-level permissions, where used).
Regression test your top flows in a Winter ’26 sandbox. Salesforce
2) Secure Roles Behavior & Sharing Group Label — Enforced in Winter ’26
What’s changing
In orgs without Digital Experiences enabled, the default group label becomes “Role and Internal Subordinates” (instead of “Roles and Subordinates”). Any references to the old string in Apex, SOQL, Flows, validation rules, or integrations must be updated. Salesforce+1
Action steps
Search metadata for:
Roles and Subordinates,roleAndSubordinates,RoleAndSubordinates.Update to Role and Internal Subordinates and redeploy. Salesforce
3) Confirm Verified Email Addresses (Legacy Users) — Enforced in Winter ’26
What’s changing
To meet modern email security standards, only users with a verified email address can send emails from Salesforce. This specifically impacts accounts created on or before Nov 1, 2016 that never verified. Salesforce
Action steps
Create a list view of active users created ≤ Nov 1, 2016 with Unverified email; send verification links.
Use this window to review DKIM/return-path configuration as best practice. Salesforce
4) Update Instanced URLs in API Traffic — Sandbox Enforcement in Winter ’26 (All orgs Spring ’26)
What’s changing
APIs must use your My Domain host—not instanced URLs like naXX.salesforce.com. Salesforce enforces this in sandboxes with Winter ’26 and in all orgs by Spring ’26. Calls that still target instanced hosts will fail after enforcement. Salesforce
Action steps
Replace hard-coded instance hosts in ETL tools, middleware, scripts, and packages with your My Domain.
In Setup → My Domain → Redirections, use the “Block API traffic that uses an incorrect instanced URL” option to test before prod enforcement. Salesforce
5) Enforce Permission Requirements on Built-In Apex Classes (Flow) — Enforced in Winter ’26
What’s changing
Flows invoking certain built-in Apex behaviors will respect the permission requirements defined on those classes once enforcement is on. (Salesforce postponed this earlier; enforcement now lands in Winter ’26.) Salesforce
Action steps
Review Flows that call Apex actions; confirm the running users have the required permissions or refactor to run in a suitable context. Salesforce
Not Enforced in Winter ’26 (But on the Horizon)
Apex Invocable Parameter Change (No-Argument Constructor requirement): Salesforce postponed enforcement to Summer ’26. Keep it on your radar if you build invocables. Salesforce
Legacy (non-enhanced) domain redirections: Enforcement for disabling legacy redirects is Spring ’26; plan now if you still rely on old hostnames. Salesforce
Quick Checklist for Admins & Owners
Flows: Map launchers → assign Run Flows; re-test critical paths. Salesforce
Sharing: Replace Roles and Subordinates with Role and Internal Subordinates everywhere. Salesforce
Email: Verify legacy user emails (≤ Nov 1, 2016). Salesforce
Integrations: Swap instanced endpoints for My Domain; enable block incorrect instanced URL in sandboxes to validate. Salesforce+1
Flows + Apex: Confirm permissions for built-in Apex classes invoked by Flows. Salesforce
How Cloud Scrums Can Help
As a Salesforce Consulting Partner, we’ll audit your org for these enforcement changes, fix permission and sharing references, update integration endpoints, and guide you through email verification and DKIM so your teams keep moving with zero downtime. Contact Us for more Details!
