PT-2026-25450 · Npm · Openclaw

Published

2026-03-03

·

Updated

2026-03-03

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

A wrapper-depth parsing mismatch in system.run allowed nested transparent dispatch wrappers (for example repeated /usr/bin/env) to suppress shell-wrapper detection while still matching allowlist resolution. In security=allowlist + ask=on-miss, this could bypass the expected approval prompt for shell execution.

Severity / Trust Model

OpenClaw’s documented model treats authenticated gateway callers as trusted operators and exec approvals as operator guardrails. This issue is still a real approval-boundary bypass and is triaged as Medium in that model.

Technical Details

  • Dispatch-wrapper unwrapping stopped at MAX DISPATCH WRAPPER DEPTH.
  • Shell-wrapper extraction could return non-wrapper once depth was exhausted.
  • Allowlist resolution could still succeed on partially unwrapped argv beginning with /usr/bin/env.
  • Result: nested wrapper chains could execute /bin/sh -c ... without fresh approval in allowlist + ask=on-miss.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published version at triage time: 2026.2.23
  • Vulnerable versions: <= 2026.2.23
  • Patched versions (planned next release): >= 2026.2.24

Fix Commit(s)

  • 57c9a18180c8b14885bbd95474cbb17ff2d03f0b

Verification

  • Added regression coverage for depth-overflow wrapper chains at resolution and system.run invocation layers.
  • Reproduced previous PoC behavior before fix, then confirmed denial after fix with SYSTEM RUN DENIED: approval required.

Release Process Note

patched versions is pre-set to the planned next release (2026.2.24) so once npm publish is complete, advisory publication can proceed without additional version edits.
OpenClaw thanks @tdjackey for reporting.

Publication Update (2026-02-25)

openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.

Fix

Improper Access Control

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-863

Related Identifiers

GHSA-CCG8-46R6-9QGJ

Affected Products

Openclaw