PT-2026-6419 — Missing Authentication in Npm Openclaw

PT-2026-6419 · Npm · Openclaw

Published

2026-02-04

Updated

2026-02-04

CVSS v3.1

8.4

High

Vector

AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

An unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user.

Impact

A local process on the same machine could execute arbitrary commands as the gateway process user.

Details

config.apply accepted raw JSON and wrote it to disk after schema validation.
cliPath values were not constrained to safe executable names/paths.
Command discovery used a shell invocation when resolving executables.

Mitigation

Upgrade to a patched release. If projects cannot upgrade immediately, set gateway.auth and avoid custom cliPath values.

Fix

Missing Authentication

OS Command Injection

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-78CWE-20

Related Identifiers

GHSA-G55J-C2V4-PJCG

Affected Products

Openclaw