GHSA-3h2q-j2v4-6w5r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3h2q-j2v4-6w5r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3h2q-j2v4-6w5r/GHSA-3h2q-j2v4-6w5r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3h2q-j2v4-6w5r
- Downstream
- Published
- 2026-03-09T19:53:58Z
- Modified
- 2026-03-09T20:01:24.211156Z
- Severity
-
- 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers
- Details
-
OpenClaw's
system.runshell-wrapper detection did not recognize PowerShell-EncodedCommandforms as inline-command wrappers.In
allowlistmode, a caller with access tosystem.runcould invokepwshorpowershellusing-EncodedCommand,-enc, or-e, and the request would fall back to plain argv analysis instead of the normal shell-wrapper approval path. This could allow a PowerShell inline payload to execute without the approval step that equivalent-Commandinvocations would require.Latest published npm version:
2026.3.2Fixed on
mainon March 7, 2026 in1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727dby recognizing PowerShell encoded-command aliases during shell-wrapper parsing, so allowlist mode continues to require approval for those payloads. Normal approved PowerShell wrapper flows continue to work.Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.3.2 - Patched version:
>= 2026.3.7
Fix Commit(s)
1d1757b16f48f1a93cd16ab0ad7e2c3c63ce727d
Release Process Note
npm
2026.3.7was published on March 8, 2026. This advisory is fixed in the released package.Thanks @tdjackey for reporting.
- Package:
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-09T19:53:58Z", "cwe_ids": [ "CWE-184", "CWE-863" ], "severity": "MODERATE", "nvd_published_at": null }- References
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw