PT-2026-25424 · Npm · Openclaw

Published

2026-03-03

·

Updated

2026-03-03

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Summary

In allowlist mode, system.run guardrails could be bypassed through env -S, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads.

Severity Rationale (Medium)

This issue is rated medium because it is a guardrail/policy bypass in OpenClaw's trusted-operator model, not an authentication boundary break.
  • Authenticated Gateway callers are trusted operators by design.
  • exec approvals/allowlists are operator safety controls.
  • The bug still weakens expected safety behavior and can enable unintended command execution when untrusted content influences tool input.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Vulnerable versions: <= 2026.2.22-2
  • Patched versions: >= 2026.2.23
Latest published npm version checked during triage: 2026.2.22-2.

Technical Impact

When /usr/bin/env is allowlisted, env -S 'sh -c ...' could be treated as allowed non-wrapper argv while runtime still executes shell-wrapper semantics.

Fix Commit(s)

  • a1c4bf07c6baad3ef87a0e710fe9aef127b1f606 (core allowlist/runtime parity hardening)
  • 3f923e831364d83d0f23499ee49961de334cf58b (explicit env -S regressions)

Release Process Note

patched versions is pre-set to >= 2026.2.23, so this advisory is now public.
OpenClaw thanks @tdjackey for reporting.

Fix

Incomplete List of Disallowed Inputs

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-184CWE-193

Related Identifiers

GHSA-48WF-G7CP-GR3M

Affected Products

Openclaw