PT-2026-25461 · Npm · Openclaw
Published
2026-03-03
·
Updated
2026-03-03
CVSS v3.1
6.7
Medium
| Vector | AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
Summary
In
openclaw@2026.3.1, node system.run approval-path hardening rewrote wrapper command argv in a way that changed execution semantics. A command shown/approved as a shell payload (for example echo SAFE) could execute a different local script when wrapper argv were rewritten.Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
2026.3.1(latest published npm version as of March 2, 2026) - Fixed release:
2026.3.2(released)
Technical Details
Root cause was in node-host approval hardening for
system.run:src/node-host/invoke-system-run-plan.tsrewroteargv[0]to the resolved executable.- Wrapper resolution unwrapped dispatch wrappers, so input like
['env','sh','-c','echo SAFE']resolved executablesh. - The approved plan could become
['/bin/sh','sh','-c','echo SAFE']while approval text remainedecho SAFE.
That rewrite changed runtime behavior:
/bin/sh interprets the extra sh positional argument as a script path, enabling execution of a local ./sh file from approved cwd instead of the approved payload text.Impact
Approval-integrity break in
host=node execution flow: operator-visible command text and executed behavior could diverge.Exploit preconditions:
- attacker can influence wrapper argv and place a local file in approved working directory,
- operator grants approval for the displayed command.
Fix Commit(s)
dded569626b0d8e7bdab10b5e7528b6caf73a0f1
Fixed Version
- Patched in
openclaw@2026.3.2.
Fix
Argument Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw