PT-2026-6419 — Missing Authentication em Npm Openclaw

PT-2026-6419 · Npm · Openclaw

Publicado

2026-02-04

Atualizado

2026-02-04

CVSS v3.1

8.4

Alta

Vetor

AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

An unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user.

Impact

A local process on the same machine could execute arbitrary commands as the gateway process user.

Details

config.apply accepted raw JSON and wrote it to disk after schema validation.
cliPath values were not constrained to safe executable names/paths.
Command discovery used a shell invocation when resolving executables.

Mitigation

Upgrade to a patched release. If projects cannot upgrade immediately, set gateway.auth and avoid custom cliPath values.

Correção

Missing Authentication

OS Command Injection

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-306CWE-78CWE-20

Identificadores relacionados

GHSA-G55J-C2V4-PJCG

Produtos afetados

Openclaw