PT-2026-25098 · Npm · Openclaw

Published

2026-03-03

·

Updated

2026-03-03

CVSS v4.0

7.5

High

VectorAV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

system.run allowed SHELLOPTS + PS4 environment injection to trigger command substitution during bash -lc xtrace expansion before the allowlisted command body executed.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.21-2 (includes latest published npm version at triage time)
  • Patched (planned next release): 2026.2.22

Impact

In allowlist mode, an attacker who can invoke system.run with request-scoped env could execute additional shell commands outside the intended allowlisted command body.

Root Cause

Host exec env sanitization blocked startup-file vectors (BASH ENV, ENV, etc.) but did not block SHELLOPTS/PS4. For shell wrappers (bash|sh|zsh ... -c/-lc), request env overrides were passed through and bash evaluated PS4 under xtrace, enabling command substitution.

Fix

  • Block SHELLOPTS and PS4 in host exec env sanitizers (Node + macOS).
  • For shell wrappers (bash|sh|zsh ... -c/-lc), reduce request-scoped env overrides to an explicit allowlist (TERM, LANG, LC *, COLORTERM, NO COLOR, FORCE COLOR).
  • Add regression tests for TS and macOS paths.

Fix Commit(s)

  • e80c803fa887f9699ad87a9e906ab5c1ff85bd9a

Release Process Note

patched versions is pre-set to the planned next release (2026.2.22). Once npm release 2026.2.22 is published, advisory publication is a final state action only.

Severity Rationale

This advisory is rated medium because exploitation requires a caller that can already invoke system.run with request-scoped env.
Under OpenClaw's documented trust model (SECURITY.md), authenticated Gateway callers are treated as trusted operators, and adversarial multi-operator / prompt-injection scenarios are out of scope.
The bug remains a real allowlist-intent bypass, but it does not cross a separate trust boundary in the documented deployment assumptions.
OpenClaw thanks @tdjackey for reporting.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-15

Related Identifiers

GHSA-2FGQ-7J6H-9RM4

Affected Products

Openclaw