How is CVE-2026-42074 exploited?

Network reachability (required): The OpenClaude agent is exposed over the network, and an attacker can reach it to inject malicious prompts without needing local system access. Authentication (not-required): No credentials or account are needed to submit prompt input to the agent. Victim interaction (not-required): No user action beyond normal agent operation is required; the model processes the injected tool response autonomously. Attack complexity (info): Exploitation is reliable and condition-free: injecting the dangerouslyDisableSandbox flag requires no race condition, memory knowledge, or environmental prerequisite.

What is the impact of CVE-2026-42074?

Attacker executes arbitrary shell commands on the host running the OpenClaude agent with the full privileges of that process. Attacker reads any file accessible to the agent process, including secrets, credentials, and source code on the host filesystem. Attacker writes or modifies files on the host, enabling persistence, backdoor installation, or corruption of build artifacts. Attacker disrupts or terminates any process reachable from the host, causing service outages for any workload co-located on that machine.

Back to search

CRITICALCVE-2026-42074Published 2026-06-02Modified 2026-06-02CNA GitHub_M

CVE-2026-42074: OpenClaude: Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project's own threat model) can set it to true in any tool_use response. Combined with the default allowUnsandboxedCommands: true setting, a prompt-injected model can escape the sandbox for any arbitrary command, achieving full host-level code execution. This issue has been patched in version 0.5.1.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A sandbox bypass vulnerability exists in OpenClaude, an open-source coding-agent CLI. The flaw allows the language model itself (treated as an untrusted principal in the project's own threat model) to disable the command sandbox by setting the dangerouslyDisableSandbox parameter to true in any tool response, reachable over the network with no authentication required. Successful exploitation gives an attacker full host-level code execution by injecting prompts that cause the model to escape the sandbox and run arbitrary commands. A patched-image rebuild at version 0.5.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle the OpenClaude CLI. Any image containing an OpenClaude version below 0.5.1 is flagged immediately on scan.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v4.0 score of 9.3 (Critical) and weights it against each environment's compliance policy to determine urgency and routing. Triage alerts are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at OpenClaude version 0.5.1 becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The OpenClaude agent is exposed over the network, and an attacker can reach it to inject malicious prompts without needing local system access.
AuthenticationNot required
No credentials or account are needed to submit prompt input to the agent.
Victim interactionNot required
No user action beyond normal agent operation is required; the model processes the injected tool response autonomously.
Attack complexityDetail
Exploitation is reliable and condition-free: injecting the dangerouslyDisableSandbox flag requires no race condition, memory knowledge, or environmental prerequisite.

Blast Radius

Attacker executes arbitrary shell commands on the host running the OpenClaude agent with the full privileges of that process.
Attacker reads any file accessible to the agent process, including secrets, credentials, and source code on the host filesystem.
Attacker writes or modifies files on the host, enabling persistence, backdoor installation, or corruption of build artifacts.
Attacker disrupts or terminates any process reachable from the host, causing service outages for any workload co-located on that machine.

How HarborGuard Handles This

Available on HarborGuard: images containing OpenClaude below version 0.5.1 are flagged as Critical on every scan cycle. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at version 0.5.1, runs a regression check, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard routes a prioritized alert to the configured team inbox with remediation guidance. Until a rebuild is deployed, compensating controls worth considering include network-policy isolation of the agent process, restricting inbound prompt sources to trusted callers only, and setting allowUnsandboxedCommands to false in agent configuration if the environment supports it.

See how HarborGuard automates this

Affected packages

Gitlawb / openclaude
< 0.5.1

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified