Technical description
In OpenClaude versions prior to 0.5.1, the BashTool input schema exposes the dangerouslyDisableSandbox parameter to the LLM. Because the LLM is an untrusted principal per the project's own threat model, this means the model itself—or an attacker who can influence the model's reasoning via prompt injection—can set dangerouslyDisableSandbox=true and escape the BashTool sandbox entirely, executing arbitrary commands without the sandbox restrictions the developer intended.
Attack vector
The LLM reasoning layer (a classified untrusted principal) can set dangerouslyDisableSandbox=true as part of a normal BashTool invocation. An attacker can trigger this via prompt injection in any content the agent processes (documents, web pages, tool outputs), instructing the model to disable sandbox before executing commands.
Affected systems
OpenClaude (Gitlawb/openclaude) versions prior to 0.5.1. More broadly, any AI coding agent or CLI tool that exposes security-critical configuration parameters in the LLM-visible input schema is vulnerable to the same class of attack.
Mitigation
Upgrade to OpenClaude 0.5.1 or later (patch commit aab489055c53dd64369414116fe93226d2656273 removes dangerouslyDisableSandbox from the BashTool input schema). For agent developers: audit all tool schemas for security-critical parameters that should be operator-controlled only and remove them from LLM-visible schema definitions. A companion vulnerability CVE-2026-42073 (CVSS 6.5) in the same release addresses a CSRF/state-parameter bypass in the MCP OAuth callback flow.