GHSA-fvx6-pj3r-5q4q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fvx6-pj3r-5q4q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-fvx6-pj3r-5q4q/GHSA-fvx6-pj3r-5q4q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fvx6-pj3r-5q4q
- Aliases
-
- CVE-2026-34425
- Downstream
- Published
- 2026-04-06T22:53:48Z
- Modified
- 2026-04-06T23:02:59.337986Z
- Summary
- OpenClaw's complex interpreter pipelines could skip exec script preflight validation
- Details
-
Summary
Before OpenClaw 2026.4.2, exec script preflight validation could fail open on complex interpreter invocations such as pipes or other non-simple command forms. In those cases, script-content validation could be skipped entirely.
Impact
An attacker-controlled command shape could bypass the intended preflight validation for script execution. This weakened a defense-in-depth guard that was meant to block unsafe script content before execution.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.4.1 - Patched versions:
>= 2026.4.2 - Latest published npm version:
2026.4.1
Fix Commit(s)
8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513— close the fail-open bypass in exec script preflight
Release Process Note
The fix is present on
mainand is staged for OpenClaw2026.4.2. Publish this advisory after the2026.4.2npm release is live.Thanks @iskindar for reporting, and thanks @wsparks-vc for coordination.
- Package:
- Database specific
{ "nvd_published_at": null, "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-184" ], "github_reviewed_at": "2026-04-06T22:53:48Z" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q
- https://nvd.nist.gov/vuln/detail/CVE-2026-34425
- https://github.com/openclaw/openclaw/commit/8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513
- https://github.com/openclaw/openclaw
- https://www.vulncheck.com/advisories/openclaw-shell-bleed-protection-preflight-validation-bypass
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw