diff --git a/commons/commons-api/src/main/java/fr/gouv/vitamui/commons/api/utils/CriteriaUtils.java b/commons/commons-api/src/main/java/fr/gouv/vitamui/commons/api/utils/CriteriaUtils.java
index d8489ed76dfb4f0bd7893c140cada2c363ac8082..ba76a41bf2b9b4a5a853efe5517351f1e12c1aaa 100644
--- a/commons/commons-api/src/main/java/fr/gouv/vitamui/commons/api/utils/CriteriaUtils.java
+++ b/commons/commons-api/src/main/java/fr/gouv/vitamui/commons/api/utils/CriteriaUtils.java
@@ -131,6 +131,7 @@ public final class CriteriaUtils {
                 throw new ForbiddenException("Criterion with key : " + criterion.getKey() + " is not allowed");
             }
         });
+        criteriaDto.getSubQueries().forEach(queryDto -> checkContainsAuthorizedKeys(queryDto, allowedKeys));
     }
 
     public static QueryDto fromJson(final String criteriaJson) {