PT-2026-33577 · Npm · Openclaw

Published

2026-04-07

·

Updated

2026-04-07

CVSS v3.1

7.3

High

VectorAV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Summary

Before OpenClaw 2026.3.31, exec allowlist matching could treat shell init-file wrapper invocations as if the approved script itself were being executed. Shell options such as --rcfile, --init-file, and --startup-file could therefore inherit allowlist trust from a matched script path even though the shell loaded attacker-chosen initialization first.

Impact

This issue only applied when exec allowlist or allow-always behavior was enabled and the attacker could steer a shell-wrapper command shape that used init-file options. The result was a narrower allowlist bypass, not generic arbitrary command execution from an untrusted boundary.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: < 2026.3.31
  • Patched versions: >= 2026.3.31
  • Latest published npm version: 2026.4.1

Fix Commit(s)

  • 0c8375424620e12777ef24c162eedc7e9fcfd7e3 — reject shell init-file script matches

Release Process Note

The fix shipped in OpenClaw 2026.3.31 on March 31, 2026. The current published npm release 2026.4.1 from April 1, 2026 also contains the fix.
Thanks @cyjhhh for reporting.

Fix

Incomplete List of Disallowed Inputs

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-184

Related Identifiers

GHSA-WPC6-37G7-8Q4W

Affected Products

Openclaw