PT-2026-22351 · Npm · Openclaw

Publicado

2026-02-17

·

Atualizado

2026-02-17

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Exec approvals allowlist bypass via command substitution/backticks inside double quotes.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.1
  • Fixed: >= 2026.2.2

Impact

Only affects setups that explicitly enable the optional exec approvals allowlist feature. Default installs are unaffected.

Fix

Reject unescaped $() and backticks inside double quotes during allowlist analysis.

Fix Commit(s)

  • d1ecb46076145deb188abcba8f0699709ea17198
Thanks @simecek for reporting.

Correção

Argument Injection

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-88CWE-78

Identificadores relacionados

GHSA-3HCM-GGVF-RCH5

Produtos afetados

Openclaw