GHSA-2cq5-mf3v-mx44
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2cq5-mf3v-mx44
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-2cq5-mf3v-mx44/GHSA-2cq5-mf3v-mx44.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2cq5-mf3v-mx44
- Aliases
-
- CVE-2026-43530
- Downstream
- Published
- 2026-04-17T22:16:04Z
- Modified
- 2026-05-08T01:50:47.048771Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw: busybox and toybox applet execution weakened exec approval binding
- Details
-
Summary
busybox and toybox applet execution weakened exec approval binding.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
>= 2026.2.23 < 2026.4.12 - Patched versions:
>= 2026.4.12
Impact
Opaque multi-call binaries such as
busyboxandtoyboxcould obscure which applet or script-like behavior would actually run, weakening exec approval binding and risk classification.Technical Details
The fix treats
busyboxandtoyboxas opaque mutable script runners and fails closed rather than binding unsafe applet invocations.Fix
The issue was fixed in #65713. The first stable tag containing the fix is
v2026.4.12, andopenclaw@2026.4.14includes the fix.Fix Commit(s)
666f48d9b882a8a1415ca53f9567c72499d850c9- PR: #65713
Release Process Note
Users should upgrade to
openclaw2026.4.12 or newer. The latest npm release,2026.4.14, already includes the fix.Credits
Thanks to @decsecre583 for reporting this issue.
- Package:
- Database specific
{ "nvd_published_at": "2026-05-05T12:16:19Z", "severity": "HIGH", "github_reviewed_at": "2026-04-17T22:16:04Z", "cwe_ids": [ "CWE-863" ], "github_reviewed": true }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2cq5-mf3v-mx44
- https://nvd.nist.gov/vuln/detail/CVE-2026-43530
- https://github.com/openclaw/openclaw/pull/65713
- https://github.com/openclaw/openclaw/commit/666f48d9b882a8a1415ca53f9567c72499d850c9
- https://github.com/openclaw/openclaw
- https://www.vulncheck.com/advisories/openclaw-weakened-exec-approval-binding-via-busybox-and-toybox-applet-execution
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw