PT-2026-32306 — Uncontrolled Search Path Element in Npm Openclaw

PT-2026-32306 · Npm · Openclaw

Published

2026-04-03

Updated

2026-04-03

CVSS v3.1

6.1

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Summary

Incomplete host-env-security-policy.json allows untrusted model to substitute compiler binaries (CC, CXX, CARGO BUILD RUSTC, CMAKE C COMPILER) via env overrides on approved host exec requests

Current Maintainer Triage

Status: narrow
Normalized severity: medium
Assessment: Shipped v2026.3.28 host-env policy missed compiler override vars, but exploitation still requires an approved host-exec request inside the existing exec trust domain, so medium not high.

Affected Packages / Versions

Package: openclaw (npm)
Latest published npm version: 2026.3.31
Vulnerable version range: <=2026.3.28
Patched versions: >= 2026.3.31
First stable tag containing the fix: v2026.3.31

Fix Commit(s)

e277a37f896b5011a1df06e6490c6630074d0afa — 2026-03-30T20:06:32+01:00

OpenClaw thanks @tdjackey for reporting.

Fix

Uncontrolled Search Path Element

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-427

Related Identifiers

GHSA-G8XP-QX39-9JQ9

Affected Products

Openclaw