[BUG] SECURITY BUG - Agents can bypass sandbox via dangerouslyDisableSandbox parameter

Resolved 💬 3 comments Opened Apr 13, 2026 by andersbranderud Closed Apr 17, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

---
Title: Agents can bypass sandbox via dangerouslyDisableSandbox parameter

Repo: https://github.com/anthropics/claude-code/issues

Description:

What happened

During a session with sandbox enabled (sandbox.enabled: true, autoAllowBashIfSandboxed: true), my main Claude agent that was running in sandbox mode instructed a sub-agent (spawned via the Agent tool) to use dangerouslyDisableSandbox: true on Bash commands. The agent was able to execute
commands outside the sandbox without any user prompt or approval.

Specifically, an agent ran git commands and docker exec commands with dangerouslyDisableSandbox: true, bypassing filesystem and network restrictions configured in the sandbox.

Expected behavior

When sandbox is enabled in settings, sub-agents spawned via the Agent tool should NOT be able to use dangerouslyDisableSandbox: true. The sandbox should be enforced on all agents in the session, not just the parent.

Why this matters

  • The sandbox exists to prevent unintended access to sensitive paths (~/.ssh, ~/.gitconfig, ~/.config, etc.)
  • If any agent can freely bypass it, the sandbox provides no real protection
  • Users configure sandbox rules trusting they apply to ALL execution, including sub-agents
  • This is especially concerning since sub-agents run in the background with less user visibility

Configuration

{
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true
}
}

What Should Happen?

When sandbox is enabled in user settings, dangerouslyDisableSandbox: true on the Bash tool should either:

  1. Be completely ignored when used by sub-agents — sandbox enforcement should be inherited from the session and non-overridable by any agent
  2. Or require an explicit user approval prompt before executing, regardless of whether the parent or a sub-agent requests it

Currently a sub-agent spawned via the Agent tool can set dangerouslyDisableSandbox: true on any Bash command and it executes without the user ever being prompted. The agent accessed ~/.gitconfig and ran docker exec commands that the
sandbox was configured to restrict. This makes the sandbox effectively opt-in for agents rather than enforced, defeating its purpose.

Error Messages/Logs

Steps to Reproduce

  1. Enable sandbox in ~/.claude/settings.json
  2. Start a session
  3. Spawn an Agent with a prompt instructing it to use dangerouslyDisableSandbox: true on a Bash command that accesses a denied path
  4. The command executes without user approval

Claude Model

None

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.104

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗