PT-2026-35590 · Npm · Openclaw
Published
2026-04-17
·
Updated
2026-04-17
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Summary
busybox and toybox applet execution weakened exec approval binding.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
>= 2026.2.23 < 2026.4.12 - Patched versions:
>= 2026.4.12
Impact
Opaque multi-call binaries such as
busybox and toybox could obscure which applet or script-like behavior would actually run, weakening exec approval binding and risk classification.Technical Details
The fix treats
busybox and toybox as opaque mutable script runners and fails closed rather than binding unsafe applet invocations.Fix
The issue was fixed in #65713. The first stable tag containing the fix is
v2026.4.12, and openclaw@2026.4.14 includes the fix.Fix Commit(s)
666f48d9b882a8a1415ca53f9567c72499d850c9- PR: #65713
Release Process Note
Users should upgrade to
openclaw 2026.4.12 or newer. The latest npm release, 2026.4.14, already includes the fix.Credits
Thanks to @decsecre583 for reporting this issue.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw