PT-2026-32063 · Npm · Openclaw

Published

2026-03-31

·

Updated

2026-03-31

CVSS v3.1

7.3

High

VectorAV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Summary

Allow-always persistence did not unwrap /usr/bin/script and similar wrappers to the actual executed target before storing trust decisions.

Impact

A user approval for one wrapped command could persist trust for a wrapper binary that later executed a different underlying program.

Affected Component

src/infra/dispatch-wrapper-resolution.ts, src/infra/exec-wrapper-resolution.ts

Fixed Versions

  • Affected: <= 2026.3.24
  • Patched: >= 2026.3.28
  • Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit 83da3cfe31 (infra: unwrap script wrapper approval targets).

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-385

Related Identifiers

GHSA-6PFC-6M7W-M8FX

Affected Products

Openclaw