PT-2026-25474 · Npm · Openclaw

Published

2026-03-03

·

Updated

2026-03-03

CVSS v4.0

5.9

Medium

VectorAV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

In openclaw@2026.2.24, approval-bound system.run on node hosts could be influenced by mutable symlink cwd targets between approval and execution.

Details

Approval matching on the gateway validated command/argv and binding fields, including cwd, as provided text. Node execution later used runtime cwd resolution. A symlinked cwd could therefore be retargeted after approval and before spawn.
OpenClaw's trust model does not treat one shared gateway as a multi-tenant adversarial boundary, but approval integrity is still a security boundary for operator-reviewed command execution.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.24
  • Patched: >= 2026.2.25

Fix Commit(s)

  • f789f880c934caa8be25b38832f27f90f37903db

Remediation

The fix adds defense-in-depth hardening for approval-bound node execution:
  • reject symlink cwd paths for approval-bound system.run
  • canonicalize path-like executable argv before spawn
  • bind CLI approval requests to exact commandArgv

Release Process Note

Patched version is pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25.
OpenClaw thanks @tdjackey for reporting.

Fix

Link Following

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-59CWE-367

Related Identifiers

GHSA-MWCG-WFQ3-4GJC

Affected Products

Openclaw