GHSA-6f6j-wx9w-ff4j

Suggest an improvement
Source
https://github.com/advisories/GHSA-6f6j-wx9w-ff4j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-6f6j-wx9w-ff4j/GHSA-6f6j-wx9w-ff4j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6f6j-wx9w-ff4j
Aliases
Downstream
Published
2026-03-02T21:55:05Z
Modified
2026-03-20T21:50:39.668658Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths
Details

Summary

On Windows ACPX paths, wrapper resolution for .cmd/.bat could fall back to shell execution in ways that allowed cwd influence to alter execution behavior.

Impact

In affected Windows ACPX configurations, this could enable command execution integrity loss through cwd-influenced wrapper resolution.

Fix

Wrapper resolution now prefers explicit PATH/PATHEXT entrypoint resolution and unwrapped Node/EXE execution, with strict fail-closed handling enabled by default for unresolvable wrapper cases.

Affected and Patched Versions

  • Affected: >= 2026.2.26, < 2026.3.1
  • Patched: 2026.3.1
Database specific 
{
    "cwe_ids": [
        "CWE-78"
    ],
    "github_reviewed_at": "2026-03-02T21:55:05Z",
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "github_reviewed": true
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
2026.2.26
Fixed
2026.3.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-6f6j-wx9w-ff4j/GHSA-6f6j-wx9w-ff4j.json"