PT-2026-25117 · Npm · Openclaw

Published

2026-03-02

·

Updated

2026-03-02

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

For host=node executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in cwd while preserving the visible cwd string.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.25
  • Fixed: >= 2026.2.26 (planned next npm release)

Impact

A command approved for one filesystem location could execute from a different location if a mutable parent symlink changed between approval and execution.

Fix

  • Added immutable approval-time plan preparation (system.run.prepare) and systemRunPlanV2 canonical fields (argv, cwd, agentId, sessionKey).
  • Enforced canonical plan values through approval request storage and forwarding-time sanitization.
  • Rejected mutable parent-symlink path components during approval-plan building to block symlink rebind bypass.
  • Follow-up refactors centralized command catalogs and approval context/error handling to reduce future drift.

Fix Commit(s)

  • 78a7ff2d50fb3bcef351571cb5a0f21430a340c1
  • d82c042b09727a6148f3ca651b254c4a677aff26
  • d06632ba45a8482192792c55d5ff0b2e21abb0a7
  • 4e690e09c746408b5e27617a20cb3fdc5190dbda
  • 4b4718c8dfce2e2c48404aa5088af7c013bed60b

Release Process Note

patched versions is pre-set to the planned next release (2026.2.26). Once npm openclaw@2026.2.26 is published, publish this advisory directly without further version-field edits.
OpenClaw thanks @tdjackey for reporting.

Fix

Link Following

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-59CWE-367

Related Identifiers

GHSA-F7WW-2725-QVW2

Affected Products

Openclaw