PT-2026-22355 · Npm · Openclaw

Published

2026-02-17

·

Updated

2026-02-17

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

On Windows nodes, exec requests were executed via cmd.exe /d /s /c <rawCommand>. In allowlist/approval-gated mode, the allowlist analysis did not model Windows cmd.exe parsing and metacharacter behavior. A crafted command string could cause cmd.exe to interpret additional operations (for example command chaining via &, or expansion via %...% / !...!) beyond what was allowlisted/approved.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.1
  • Patched: >= 2026.2.2
  • Latest (npm) as of 2026-02-14: 2026.2.13

Details

  • Default installs: Not affected unless you opt into exec allowlist/approval gating on Windows nodes.
  • Windows execution uses cmd.exe via src/infra/node-shell.ts.
  • The fix hardens Windows allowlist enforcement by:
  • Passing the platform into allowlist analysis and rejecting Windows shell metacharacters.
  • Treating cmd.exe invocation as not allowlist-safe on Windows.
  • Avoiding cmd.exe entirely in allowlist mode by executing the parsed argv directly when possible.

Fix Commit(s)

  • a7f4a53ce80c98ba1452eb90802d447fca9bf3d6
Thanks @simecek for reporting.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

GHSA-QJ77-C3C8-9C3Q

Affected Products

Openclaw