PT-2026-25419 — Incomplete List of Disallowed Inputs em Npm Openclaw

PT-2026-25419 · Npm · Openclaw

Publicado

2026-03-03

Atualizado

2026-03-03

CVSS v3.1

7.1

Alta

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Summary

OpenClaw exec allowlist/safeBins policy could be bypassed with attached short-option payloads (for example sort -o/tmp/poc), enabling file-write operations while still satisfying safeBins checks.

Affected Packages / Versions

Package: openclaw (npm)
Affected versions: <= 2026.2.17
Latest published vulnerable version: 2026.2.17
Patched in: 2026.2.19

Impact

When tools.exec.security=allowlist and tools.exec.safeBins included affected binaries, attached short-option payloads could bypass safeBins argument validation and permit file-write behavior that should have been denied.

Fix Commit(s)

cfe8457a0f4aae5324daec261d3b0aad1461a4bc
bafdbb6f112409a65decd3d4e7350fbd637c7754
fec48a5006eab37c6a5821726ccaeec886486b13

OpenClaw thanks @FailButWin and @Redgrave961 for reporting.

Correção

Incomplete List of Disallowed Inputs

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-184

Identificadores relacionados

GHSA-3X3X-H76W-HP98

Produtos afetados

Openclaw