All articles
Threat IntelligenceMay 2026·4 min read

OpenClaude Flaw: Model-Controlled Input Disables Sandbox for RCE

A critical design flaw in the open-source AI agent allows a model to disable its own security controls, leading to host-level command execution via prompt injection.

OpenClaude Flaw: Model-Controlled Input Disables Sandbox for RCE
Illustration generated by Helixar Research Labs. Not a depiction of a real system, attack, or affected product.

At a Glance

CVE-2026-42074

Identifier

9.3 Critical

CVSS Score

Network

Attack Vector

OpenClaude < 0.5.1

Affected Product

A critical vulnerability in the OpenClaude AI coding agent allows a language model to disable its own sandbox protections [1].

The flaw, tracked as CVE-2026-42074, enables host-level remote code execution through prompt injection [5].

All versions of the open-source agent from vendor Gitlawb prior to 0.5.1 are affected by this fundamental design issue [2].

The Attack Chain: From Prompt to Host

The exploit begins when an attacker influences the input to the agent's language model. This can happen through a malicious document, a crafted API response, or a direct prompt. The goal is to make the model invoke its `BashTool` with a specific, undocumented parameter: `dangerouslyDisableSandbox`.

This parameter exists within the tool's input schema, making it visible and accessible to the model itself. When the model constructs its tool call, it can set `dangerouslyDisableSandbox: true`. This input is passed to the `shouldUseSandbox()` function, which contains the flawed logic. The function checks for the bypass flag and a second condition: whether unsandboxed commands are permitted.

In all default installations of OpenClaude before version 0.5.1, the `allowUnsandboxedCommands` policy is set to `true`. This combination means a single parameter from the model's tool call is sufficient to bypass all sandbox protections. An attacker who triggers this can execute arbitrary commands with the full permissions of the agent's host process. This access allows for credential theft, reverse shell execution, and lateral movement into connected internal systems.

An Architectural Anti-Pattern

The root cause of CVE-2026-42074 is not a simple coding mistake but a structural design flaw. It is an example of an architectural anti-pattern in agentic systems: exposing security-governing parameters within the LLM's tool-calling interface. Any parameter in a tool schema is a control knob the model can turn. If that knob disables a security control, it creates a direct path for exploitation via prompt injection.

KEY TAKEAWAY

Security-governing parameters must never be controlled by LLM-supplied input.

This vulnerability class is not unique to OpenClaude. Any agentic framework that places sandbox controls, network permissions, or credential access flags inside a model-accessible schema has the same attack surface. The parameter names may differ, but the exploit shape remains identical. Prompt injection leads to the model supplying a bypass flag, which results in privileged access.

The flaw is compounded by a permissive default setting. A policy of `allowUnsandboxedCommands: true` by default means that every standard deployment is vulnerable out of the box. This violates the principle of secure-by-default design, where sensitive capabilities should require explicit, operator-driven opt-in. The vulnerability maps to both Improper Access Control (CWE-284) and Missing Authentication for Critical Function (CWE-306).

Detection and Defense in Depth

Helixar provides two independent layers of coverage against this attack class, operating outside the model's control surface. The first is Agentic Scope Enforcement. An AI agent's permissions are defined at the process level, restricting its access to files, network addresses, and other system resources. A sandbox bypass does not alter this enforced scope, so attempts to read SSH keys or connect to unknown IP addresses are blocked regardless of the sandbox state.

The second layer is Behavioural Sequence Detection. The exploitation chain has a distinct signature: a tool call with a novel bypass flag, followed by credential file access, followed by an outbound network connection. While each step might appear legitimate in isolation, the sequence is a strong indicator of compromise. Helixar's behavioral engine detects this pattern, providing a high-fidelity alert on the exploit itself.

Should an attacker succeed in exfiltrating credentials like AI API keys, Helixar BearTrap provides a third layer of defense. It detects when a known credential is used with a new client fingerprint or from a new network origin. This post-exploit detection is independent of the initial endpoint compromise and helps contain the impact of credential theft.

Immediate and Structural Mitigation

Teams using OpenClaude must upgrade to version 0.5.1 immediately. The patch removes the `dangerouslyDisableSandbox` parameter from the tool schema, making it impossible for the model to supply it [3].

It also changes the default policy for `allowUnsandboxedCommands` to `false`, ensuring that unsandboxed execution is an explicit choice [4]. Administrators should scan all environments, including container images and CI caches, for vulnerable versions and rotate any credentials accessible to the agent process.

Structurally, all teams building or deploying AI agents should audit their tool schemas. Remove any parameter that governs security policy, sandbox state, or permission scope. These controls must be managed through runtime configuration or operator policy, completely outside the model's influence. All security-sensitive permissions should be deny-by-default.

Finally, security teams must treat prompt injection as an inevitable exploitation primitive, not a theoretical risk. Any agent that consumes untrusted input from documents, web pages, or API responses operates within this attack surface. Defenses must assume that prompt injection will occur and ensure that security controls cannot be disabled by model-supplied input.

References

  1. GitHub Security Advisory (GHSA-m77w-p5jj-xmhg). https://github.com/advisories/GHSA-m77w-p5jj-xmhg (accessed 2026-05-13).
  2. github.com. https://github.com/Gitlawb/openclaude (accessed 2026-05-13).
  3. Patch commit / PR (github.com). https://github.com/Gitlawb/openclaude/pull/778 (accessed 2026-05-13).
  4. Patch commit / PR (github.com). https://github.com/Gitlawb/openclaude/commit/aab489055c53dd64369414116fe93226d2656273 (accessed 2026-05-13).
  5. NIST NVD record for CVE-2026-42074. https://nvd.nist.gov/vuln/detail/CVE-2026-42074 (accessed 2026-05-13).

About Helixar Research Labs

Helixar is an AI-native software R&D lab focused on agentic governance, compliance, and security for enterprises and enterprise agents.

Helixar Research Labs publishes briefings on the agentic and AI threat surface, including autonomous agents, LLM tooling, MCP servers, model supply chains, and prompt injection. The goal is to surface the gap between traditional defenses and agentic attacks before it shows up in your incidents.

If you run agents in production, this is for you. Learn more at helixar.ai.

Back to Press