PT-2026-25468 · Npm · Openclaw
Publicado
2026-03-03
·
Atualizado
2026-03-03
CVSS v4.0
7.1
Alta
| Vetor | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Summary
system.run exec allowlist analysis treated wrapper binaries as the effective executable and did not fully unwrap env/shell-dispatch wrappers.This allowed wrapper-smuggled payloads (for example
env bash -lc ...) to satisfy an allowlist entry for the wrapper while executing non-allowlisted commands.Impact
On affected versions, an actor who can trigger
system.run requests under an allowlist policy could bypass intended allowlist restrictions by routing execution through wrapper binaries.Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
<= 2026.2.21-2 - Patched in next release:
2026.2.22(pre-set below so publish can happen immediately after npm release)
Fix Commit(s)
2b63592be57782c8946e521bc81286933f0f99c7
Release Process Note
patched versions is pre-set to the planned next release (>= 2026.2.22).After npm
2026.2.22 is published, this advisory can be published directly without further metadata edits.OpenClaw thanks @tdjackey for reporting.
Correção
Incorrect Authorization
OS Command Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw