PT-2026-22527 — Incomplete List of Disallowed Inputs em Npm Openclaw

PT-2026-22527 · Npm · Openclaw

Publicado

2026-02-19

Atualizado

2026-02-19

CVSS v3.1

3.6

Baixa

Vetor

AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Summary

tools.exec.safeBins could be bypassed for filesystem access when sort output flags (-o / --output) or recursive grep flags were allowed through safe-bin execution paths.

Affected Packages / Versions

Package: openclaw (npm)
Affected versions: <= 2026.2.17
Patched versions: >= 2026.2.19
Latest published version at triage time: 2026.2.17

Impact

In deployments that enabled tools.exec.safeBins, an attacker with access to command execution flows could turn intended stdin-only safe-bin usage into file writes (sort -o) or recursive file reads (grep -R).

Fix Commit(s)

2c05cbb43e48ebad03626d3125746fb1b9a8520f

Found using MCPwner

Thanks @nedlir for reporting.

Correção

Incomplete List of Disallowed Inputs

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-184CWE-78

Identificadores relacionados

GHSA-4685-C5CP-VP95

Produtos afetados

Openclaw