CVE-2026-42074 Overview
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. The vulnerability exposes the dangerouslyDisableSandbox parameter as part of the BashTool input schema, allowing the large language model (LLM) to set it to true in any tool_use response. Combined with the default allowUnsandboxedCommands: true setting, a prompt-injected model can escape the sandbox for any arbitrary command. This results in full host-level code execution on systems running OpenClaude prior to version 0.5.1. The flaw is categorized under [CWE-284] Improper Access Control.
Critical Impact
A prompt-injected LLM can disable the OpenClaude sandbox and execute arbitrary commands on the host with the privileges of the OpenClaude process.
Affected Products
- Gitlawb OpenClaude versions prior to 0.5.1
- OpenClaude deployments using default allowUnsandboxedCommands: true configuration
- Any OpenClaude instance exposing the BashTool to untrusted model output
Discovery Timeline
- 2026-06-02 - CVE-2026-42074 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-42074
Vulnerability Analysis
OpenClaude implements a sandbox to constrain commands executed through its BashTool. The tool's input schema, however, exposes the dangerouslyDisableSandbox boolean directly to the model. Because OpenClaude's own threat model treats the LLM as an untrusted principal, any schema field reachable by the model becomes attacker-controllable through prompt injection.
When an adversary delivers a prompt injection payload, the model can emit a tool_use response that sets dangerouslyDisableSandbox: true. The default configuration value allowUnsandboxedCommands: true permits the runtime to honor this flag without operator confirmation. The result is unrestricted command execution outside the sandbox, equivalent to running arbitrary shell commands as the user invoking OpenClaude.
Root Cause
The root cause is a broken trust boundary. Security-critical control parameters that should be operator-only were placed in the same input schema as model-controlled arguments. There is no server-side enforcement that strips or rejects dangerouslyDisableSandbox when supplied by the LLM. The permissive default allowUnsandboxedCommands: true compounds the issue by accepting the disable flag without challenge.
Attack Vector
An attacker delivers indirect prompt injection through any untrusted input the agent processes, including source files, web pages fetched by the agent, issue trackers, or repository README content. The injected instructions cause the model to invoke BashTool with dangerouslyDisableSandbox: true and a malicious command. OpenClaude executes the command unsandboxed, achieving remote, network-reachable code execution on the host.
No authentication or user interaction is required beyond the agent processing attacker-controlled content. For technical specifics, see the GitHub Security Advisory GHSA-m77w-p5jj-xmhg and the patch commit.
Detection Methods for CVE-2026-42074
Indicators of Compromise
- OpenClaude audit logs containing tool_use entries where dangerouslyDisableSandbox is set to true.
- Child processes spawned by the OpenClaude binary that bypass the expected sandbox wrapper or container boundary.
- Unexpected outbound network connections, file writes outside the project directory, or credential access originating from the OpenClaude process.
Detection Strategies
- Inspect OpenClaude session transcripts and tool-call logs for any occurrence of the dangerouslyDisableSandbox key in model-generated arguments.
- Correlate BashTool invocations with the executed command string and parent agent context to flag unsandboxed shell activity.
- Hunt for prompt-injection precursors such as agent reads from attacker-controlled URLs, untrusted issue content, or third-party repository files immediately preceding shell execution.
Monitoring Recommendations
- Enable verbose tool-use logging in OpenClaude and forward logs to a central SIEM for retention and search.
- Alert on process-tree anomalies where the OpenClaude process spawns shells, package managers, or network utilities outside an approved baseline.
- Monitor filesystem and credential-store access by the OpenClaude user, including reads of ~/.ssh, cloud provider credential files, and shell history.
How to Mitigate CVE-2026-42074
Immediate Actions Required
- Upgrade OpenClaude to version 0.5.1 or later, which removes dangerouslyDisableSandbox from the model-facing schema.
- Audit existing OpenClaude deployments for the allowUnsandboxedCommands setting and set it to false where not explicitly required.
- Review recent agent transcripts and host telemetry for evidence of sandbox-disabled tool calls prior to patching.
Patch Information
The issue is patched in OpenClaude 0.5.1. The fix removes the dangerouslyDisableSandbox parameter from the BashTool input schema so the LLM cannot supply it. Details are available in the GitHub Pull Request #778 and the patch commit aab4890.
Workarounds
- Run OpenClaude inside an isolated container or virtual machine with no access to credentials, source repositories, or production networks.
- Restrict the user account running OpenClaude to least privilege and deny write access to sensitive directories.
- Disable or remove the BashTool entirely for workflows that do not require shell execution until the patched version is deployed.
# Configuration example: upgrade and harden OpenClaude
npm install -g openclaude@0.5.1
# Verify installed version
openclaude --version
# Explicitly disable unsandboxed command execution
export OPENCLAUDE_ALLOW_UNSANDBOXED_COMMANDS=false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
