PT-2026-25464 · Npm · Openclaw
Publicado
2026-03-03
·
Atualizado
2026-03-03
CVSS v4.0
7.6
Alta
| Vetor | AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Summary
In some opt-in sandbox configurations, the experimental
apply patch tool did not consistently apply workspace-only checks to mounted paths (for example /agent/...).Impact
This does not affect default installs.
Default posture:
agents.defaults.sandbox.mode=off(sandbox disabled by default)tools.exec.applyPatch.enabled=false(experimental tool disabled by default)
This behavior applies only when all of the following are enabled/configured:
- sandbox mode,
- experimental
apply patch, - workspace-only expectations (
tools.fs.workspaceOnly=trueand/ortools.exec.applyPatch.workspaceOnly=true), - and writable mounts outside workspace.
Under that opt-in setup,
apply patch operations could target mounted paths outside the workspace root.Affected Packages / Versions
- Package:
openclaw(npm) - Affected published versions:
<= 2026.2.22-2 - Fixed in code on
main: commit6634030be31e1a1842967df046c2f2e47490e6bf - Patched release:
2026.2.23
Technical Details
In the sandbox path flow,
apply patch used sandbox.bridge.resolvePath(...) without applying the same workspace-root assertion used by other filesystem tools. The fix makes apply patch follow the same workspace-only enforcement for sandbox-resolved paths (unless explicitly disabled with tools.exec.applyPatch.workspaceOnly=false).Fix Commit(s)
6634030be31e1a1842967df046c2f2e47490e6bf
Release Process Note
patched versions is pre-set to the released version (2026.2.23). Patched in 2026.2.23 and published.OpenClaw thanks @tdjackey for reporting.
Correção
Path traversal
Improper Access Control
Incorrect Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw