[BUG] SECURITY BUG - Agents can bypass sandbox via dangerouslyDisableSandbox parameter
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
---
Title: Agents can bypass sandbox via dangerouslyDisableSandbox parameter
Repo: https://github.com/anthropics/claude-code/issues
Description:
What happened
During a session with sandbox enabled (sandbox.enabled: true, autoAllowBashIfSandboxed: true), my main Claude agent that was running in sandbox mode instructed a sub-agent (spawned via the Agent tool) to use dangerouslyDisableSandbox: true on Bash commands. The agent was able to execute
commands outside the sandbox without any user prompt or approval.
Specifically, an agent ran git commands and docker exec commands with dangerouslyDisableSandbox: true, bypassing filesystem and network restrictions configured in the sandbox.
Expected behavior
When sandbox is enabled in settings, sub-agents spawned via the Agent tool should NOT be able to use dangerouslyDisableSandbox: true. The sandbox should be enforced on all agents in the session, not just the parent.
Why this matters
- The sandbox exists to prevent unintended access to sensitive paths (~/.ssh, ~/.gitconfig, ~/.config, etc.)
- If any agent can freely bypass it, the sandbox provides no real protection
- Users configure sandbox rules trusting they apply to ALL execution, including sub-agents
- This is especially concerning since sub-agents run in the background with less user visibility
Configuration
{
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true
}
}
What Should Happen?
When sandbox is enabled in user settings, dangerouslyDisableSandbox: true on the Bash tool should either:
- Be completely ignored when used by sub-agents — sandbox enforcement should be inherited from the session and non-overridable by any agent
- Or require an explicit user approval prompt before executing, regardless of whether the parent or a sub-agent requests it
Currently a sub-agent spawned via the Agent tool can set dangerouslyDisableSandbox: true on any Bash command and it executes without the user ever being prompted. The agent accessed ~/.gitconfig and ran docker exec commands that the
sandbox was configured to restrict. This makes the sandbox effectively opt-in for agents rather than enforced, defeating its purpose.
Error Messages/Logs
Steps to Reproduce
- Enable sandbox in ~/.claude/settings.json
- Start a session
- Spawn an Agent with a prompt instructing it to use dangerouslyDisableSandbox: true on a Bash command that accesses a denied path
- The command executes without user approval
Claude Model
None
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.104
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗