PT-2026-35590 · Npm · Openclaw
Publicado
2026-04-17
·
Atualizado
2026-04-17
CVSS v3.1
8.8
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Summary
busybox and toybox applet execution weakened exec approval binding.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
>= 2026.2.23 < 2026.4.12 - Patched versions:
>= 2026.4.12
Impact
Opaque multi-call binaries such as
busybox and toybox could obscure which applet or script-like behavior would actually run, weakening exec approval binding and risk classification.Technical Details
The fix treats
busybox and toybox as opaque mutable script runners and fails closed rather than binding unsafe applet invocations.Fix
The issue was fixed in #65713. The first stable tag containing the fix is
v2026.4.12, and openclaw@2026.4.14 includes the fix.Fix Commit(s)
666f48d9b882a8a1415ca53f9567c72499d850c9- PR: #65713
Release Process Note
Users should upgrade to
openclaw 2026.4.12 or newer. The latest npm release, 2026.4.14, already includes the fix.Credits
Thanks to @decsecre583 for reporting this issue.
Correção
Incorrect Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw