PT-2026-25121 — Incomplete List of Disallowed Inputs in Npm Openclaw

PT-2026-25121 · Npm · Openclaw

Published

2026-03-02

Updated

2026-03-02

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

OpenClaw exec approvals could be bypassed in allowlist mode when allow-always was granted through unrecognized multiplexer shell wrappers (notably busybox sh -c and toybox sh -c).

Affected Packages / Versions

Package: openclaw (npm)
Affected: <= 2026.2.22-2
Latest published vulnerable version at triage time: 2026.2.22-2 (checked on February 24, 2026)
Fixed on main: yes
Patched release: 2026.2.23

Details

Wrapper analysis treated busybox/toybox invocations as non-wrapper commands in this path, so allow-always persisted the wrapper binary path instead of the inner executable. That allowed later arbitrary payloads under the same multiplexer wrapper to satisfy the stored allowlist rule.

The fix hardens wrapper detection and persistence behavior for these multiplexer shell applets so approvals bind to intended inner executables and fail closed when unwrap safety is uncertain.

Fix Commit(s)

a67689a7e3ad494b6637c76235a664322d526f9e

Release Process Note

patched versions is pre-set to the released version (2026.2.23). This advisory now reflects released fix version 2026.2.23.

OpenClaw thanks @jiseoung for reporting.

Fix

Incomplete List of Disallowed Inputs

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-184

Related Identifiers

GHSA-GWQP-86Q6-W47G

Affected Products

Openclaw