PT-2026-26499 · Npm · Openclaw

Publicado

2026-03-09

·

Atualizado

2026-03-09

CVSS v3.1

5.0

Média

VetorAV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
OpenClaw's system.run allowlist analysis did not honor POSIX shell comment semantics when deriving allow-always persistence entries.
A caller in security=allowlist mode who received an allow-always decision could submit a shell command whose tail was commented out at runtime, for example by using an unquoted # before a chained payload. The runtime shell would execute only the pre-comment portion, but allowlist persistence could still analyze and store the non-executed tail as a trusted follow-up command.
Latest published npm version: 2026.3.2
Fixed on main on March 7, 2026 in 939b18475d734ed75173f59507e3ebbdfe1992b7 by teaching shell tokenization and chain/pipeline analysis to stop at unquoted shell comments, so allow-always persistence now tracks only commands that the shell can actually execute. Normal real chained commands and quoted # literals continue to work.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.3.2
  • Patched version: >= 2026.3.7

Fix Commit(s)

  • 939b18475d734ed75173f59507e3ebbdfe1992b7

Release Process Note

npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey for reporting.

Correção

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-436CWE-863

Identificadores relacionados

GHSA-9Q2P-VC84-2RWM

Produtos afetados

Openclaw