Search criteria
3 vulnerabilities by Gitlawb
CVE-2026-42073 (GCVE-0-2026-42073)
Vulnerability from cvelistv5 – Published: 2026-06-02 15:38 – Updated: 2026-06-02 17:40
VLAI
Title
OpenClaude's MCP OAuth Callback: State Check Bypass via error Param Leads to DoS
Summary
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass this check and force the server to shut down — without knowing the state value at all. This issue has been patched in version 0.5.1.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Gitlawb/openclaude/security/ad… | x_refsource_CONFIRM |
| https://github.com/Gitlawb/openclaude/commit/739b… | x_refsource_MISC |
| https://github.com/Gitlawb/openclaude/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Gitlawb | openclaude |
Affected:
< 0.5.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42073",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T17:37:51.060222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T17:40:55.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-c73c-x77g-854r"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openclaude",
"vendor": "Gitlawb",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass this check and force the server to shut down \u2014 without knowing the state value at all. This issue has been patched in version 0.5.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:38:53.435Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-c73c-x77g-854r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-c73c-x77g-854r"
},
{
"name": "https://github.com/Gitlawb/openclaude/commit/739b8d1f40fde0e401a5cbd2b9a55d88bd5124ad",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Gitlawb/openclaude/commit/739b8d1f40fde0e401a5cbd2b9a55d88bd5124ad"
},
{
"name": "https://github.com/Gitlawb/openclaude/releases/tag/v0.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Gitlawb/openclaude/releases/tag/v0.5.1"
}
],
"source": {
"advisory": "GHSA-c73c-x77g-854r",
"discovery": "UNKNOWN"
},
"title": "OpenClaude\u0027s MCP OAuth Callback: State Check Bypass via error Param Leads to DoS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42073",
"datePublished": "2026-06-02T15:38:53.435Z",
"dateReserved": "2026-04-23T19:17:30.565Z",
"dateUpdated": "2026-06-02T17:40:55.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42074 (GCVE-0-2026-42074)
Vulnerability from cvelistv5 – Published: 2026-06-02 15:38 – Updated: 2026-06-02 17:53
VLAI
Title
OpenClaude: Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input
Summary
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project's own threat model) can set it to true in any tool_use response. Combined with the default allowUnsandboxedCommands: true setting, a prompt-injected model can escape the sandbox for any arbitrary command, achieving full host-level code execution. This issue has been patched in version 0.5.1.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Gitlawb/openclaude/security/ad… | x_refsource_CONFIRM |
| https://github.com/Gitlawb/openclaude/pull/778 | x_refsource_MISC |
| https://github.com/Gitlawb/openclaude/commit/aab4… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Gitlawb | openclaude |
Affected:
< 0.5.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42074",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T17:53:30.436779Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T17:53:35.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m77w-p5jj-xmhg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openclaude",
"vendor": "Gitlawb",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project\u0027s own threat model) can set it to true in any tool_use response. Combined with the default allowUnsandboxedCommands: true setting, a prompt-injected model can escape the sandbox for any arbitrary command, achieving full host-level code execution. This issue has been patched in version 0.5.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T15:38:24.753Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m77w-p5jj-xmhg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m77w-p5jj-xmhg"
},
{
"name": "https://github.com/Gitlawb/openclaude/pull/778",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Gitlawb/openclaude/pull/778"
},
{
"name": "https://github.com/Gitlawb/openclaude/commit/aab489055c53dd64369414116fe93226d2656273",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Gitlawb/openclaude/commit/aab489055c53dd64369414116fe93226d2656273"
}
],
"source": {
"advisory": "GHSA-m77w-p5jj-xmhg",
"discovery": "UNKNOWN"
},
"title": "OpenClaude: Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42074",
"datePublished": "2026-06-02T15:38:24.753Z",
"dateReserved": "2026-04-23T19:17:30.565Z",
"dateUpdated": "2026-06-02T17:53:35.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35570 (GCVE-0-2026-35570)
Vulnerability from cvelistv5 – Published: 2026-04-20 23:24 – Updated: 2026-04-21 19:49
VLAI
Title
OpenClaude has Sandbox Bypass via Early-Exit Logic Flaw that Allows Path Traversal
Summary
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool/bashPermissions.ts`. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an `allow` result immediately — before the path constraint filter (`checkPathConstraints`) is ever evaluated. This allows commands containing path traversal sequences (e.g., `../../../../../etc/passwd`) to bypass directory restrictions entirely. Version 0.5.1 contains a patch for the issue.
Severity
8.4 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Gitlawb/openclaude/security/ad… | x_refsource_CONFIRM |
| https://github.com/Gitlawb/openclaude/commit/7002… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Gitlawb | openclaude |
Affected:
< 0.5.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35570",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T16:01:46.877935Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:49:30.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m6rx-7pvw-2f73"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openclaude",
"vendor": "Gitlawb",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool/bashPermissions.ts`. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an `allow` result immediately \u2014 before the path constraint filter (`checkPathConstraints`) is ever evaluated. This allows commands containing path traversal sequences (e.g., `../../../../../etc/passwd`) to bypass directory restrictions entirely. Version 0.5.1 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T23:24:08.324Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m6rx-7pvw-2f73",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m6rx-7pvw-2f73"
},
{
"name": "https://github.com/Gitlawb/openclaude/commit/7002cb302b78ea2a19da3f26226de24e2903fa1d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Gitlawb/openclaude/commit/7002cb302b78ea2a19da3f26226de24e2903fa1d"
}
],
"source": {
"advisory": "GHSA-m6rx-7pvw-2f73",
"discovery": "UNKNOWN"
},
"title": "OpenClaude has Sandbox Bypass via Early-Exit Logic Flaw that Allows Path Traversal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35570",
"datePublished": "2026-04-20T23:24:08.324Z",
"dateReserved": "2026-04-03T20:09:02.826Z",
"dateUpdated": "2026-04-21T19:49:30.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}