Description
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project's own threat model) can set it to true in any tool_use response. Combined with the default allowUnsandboxedCommands: true setting, a prompt-injected model can escape the sandbox for any arbitrary command, achieving full host-level code execution. This issue has been patched in version 0.5.1.
Published: 2026-06-02
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A BashTool schema in OpenClaude exposes a dangerouslyDisableSandbox flag that a model can set to true, allowing execution of commands outside the intended sandbox and resulting in complete host-level code execution. The weakness falls under CWE-284 (Access Control Modification) and CWE-306 (Missing Authentication for Critical Function), compromising confidentiality, integrity, and availability.

Affected Systems

Gitlawb:openclaude is affected, specifically all releases prior to 0.5.1, which contain the vulnerable BashTool schema.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating a high severity. EPSS data is not available, so the likelihood of exploitation is unknown, and the flaw is not yet listed in CISA KEV. The probable attack vector involves a prompt injection that instructs the model to set dangerouslyDisableSandbox to true; combined with the default allowUnsandboxedCommands true setting, this yields unrestricted command execution on the host.

Generated by OpenCVE AI on June 2, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official OpenClaude patch to version 0.5.1 or newer
  • If upgrading is not immediately possible, disable allowUnsandboxedCommands by setting it to false
  • Validate or strip the dangerouslyDisableSandbox parameter from the BashTool schema to enforce the default false value
  • Consider implementing stricter input validation or access controls around the LLM’s ability to set critical flags

Generated by OpenCVE AI on June 2, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m77w-p5jj-xmhg OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input
History

Tue, 02 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Gitlawb
Gitlawb openclaude
Vendors & Products Gitlawb
Gitlawb openclaude

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project's own threat model) can set it to true in any tool_use response. Combined with the default allowUnsandboxedCommands: true setting, a prompt-injected model can escape the sandbox for any arbitrary command, achieving full host-level code execution. This issue has been patched in version 0.5.1.
Title OpenClaude: Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input
Weaknesses CWE-284
CWE-306
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Gitlawb Openclaude
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T15:38:24.753Z

Reserved: 2026-04-23T19:17:30.565Z

Link: CVE-2026-42074

cve-icon Vulnrichment

Updated: 2026-06-02T17:52:33.911Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-02T17:16:32.073

Modified: 2026-06-02T17:19:53.963

Link: CVE-2026-42074

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T18:30:15Z

Weaknesses