CVE-2026-42074
published 2026-06-02CVE-2026-42074: OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.54%
41.5th percentile
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project's own threat model) can set it to true in any tool_use response. Combined with the default allowUnsandboxedCommands: true setting, a prompt-injected model can escape the sandbox for any arbitrary command, achieving full host-level code execution. This issue has been patched in version 0.5.1.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitlawb | openclaude | < 0.5.1 | 0.5.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Gitlawb openclaude up to 0.5.0 Setting dangerouslyDisableSandbox missing authentication (GHSA-m77w-p5jj-xmhg)
vuldb·2026-06-02·CVSS 9.3
CVE-2026-42074 [CRITICAL] Gitlawb openclaude up to 0.5.0 Setting dangerouslyDisableSandbox missing authentication (GHSA-m77w-p5jj-xmhg)
A vulnerability was found in Gitlawb openclaude up to 0.5.0. It has been rated as critical. The affected element is an unknown function of the component Setting Handler. This manipulation of the argument dangerouslyDisableSandbox causes missing authentication.
This vulnerability is handled as CVE-2026-42074. The attack can be initiated remotely. There is not any exploit available.
Upgrading the affected component is advised.
GHSA
OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input
ghsa·2026-05-12
CVE-2026-42074 [CRITICAL] CWE-284 OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input
OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input
### Summary
The `dangerouslyDisableSandbox` parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project's own threat model) can set it to `true` in any `tool_use` response. Combined with the default `allowUnsandboxedCommands: true` setting, a prompt-injected model can escape the sandbox for any arbitrary command, achieving full host-level code execution.
### Details
The vulnerability exists in the `shouldUseSandbox()` function in `src/tools/BashTool/shouldUseSandbox.ts` (lines 130–153):
```typescript
export function shouldUseSandbox(input: Partial): boolean {
if (!SandboxManager.isSandboxingEnabled()) {
return false
}
// THE VULNERABILITY: model-control
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-02
Published