EXECUTIVE SUMMARY:
CVE-2026-42074 with a CVSS score of 9.3 is a critical vulnerability in the openclaude package, specifically in versions less than 0.5.1, allowing an attacker to bypass the sandbox and achieve full host-level code execution. The vulnerability exists due to the exposure of the `dangerouslyDisableSandbox` parameter in the BashTool input schema, which can be set to `true` by an untrusted principal, such as a prompt-injected model, in conjunction with the default `allowUnsandboxedCommands: true` setting. This allows an attacker to escape the sandbox for any arbitrary command, resulting in code execution with elevated privileges. An attacker can exploit this vulnerability by injecting a malicious prompt that includes the `dangerouslyDisableSandbox: true` input in the tool call, which can be achieved by sending a crafted `tool_use` response to the vulnerable system. If exploited, this vulnerability can allow an attacker to gain control over the entire system, resulting in significant business impact and consequences, including data breaches, system compromise, and reputational damage. The exploitation of this vulnerability requires no prerequisites or conditions beyond the presence of a vulnerable system and a malicious actor with the ability to inject prompts into the system.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-42074 with a CVSS score of 9.3 is a critical vulnerability in the openclaude package, specifically in versions less than 0.5.1, allowing an attacker to bypass the sandbox and achieve full host-level code execution. The vulnerability exists due to the exposure of the `dangerouslyDisableSandbox` parameter in the BashTool input schema, which can be set to `true` by an untrusted principal, such as a prompt-injected model, in conjunction with the default `allowUnsandboxedCommands: true` setting. This allows an attacker to escape the sandbox for any arbitrary command, resulting in code execution with elevated privileges. An attacker can exploit this vulnerability by injecting a malicious prompt that includes the `dangerouslyDisableSandbox: true` input in the tool call, which can be achieved by sending a crafted `tool_use` response to the vulnerable system. If exploited, this vulnerability can allow an attacker to gain control over the entire system, resulting in significant business impact and consequences, including data breaches, system compromise, and reputational damage. The exploitation of this vulnerability requires no prerequisites or conditions beyond the presence of a vulnerable system and a malicious actor with the ability to inject prompts into the system.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update openclaude to version 0.5.1.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-m77w-p5jj-xmhg