GHSA-796m-2973-wc5q

Source

https://github.com/advisories/GHSA-796m-2973-wc5q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-796m-2973-wc5q/GHSA-796m-2973-wc5q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-796m-2973-wc5q

Downstream

MINI-xrhw-843f-q2c7

Published

2026-03-03T22:23:45Z

Modified

2026-03-04T15:12:40.779472Z

Severity

5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

OpenClaw has exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation

Details

Summary

tools.exec allowlist/safe-bins evaluation could diverge from runtime execution for wrapper commands using GNU env -S/--split-string semantics. This allowed policy checks to treat a command as a benign safe-bin invocation while runtime executed a different payload.

Affected Packages / Versions

Package: openclaw (npm)
Vulnerable versions: <= 2026.2.22-2 (latest currently published npm version)
Patched version (released): 2026.2.23

Impact

An attacker able to influence tool command text (for example via untrusted prompt/content injection reaching an exec-capable flow) could bypass allowlist/safe-bins intent and execute unexpected commands.

Technical Details

Root cause was policy/runtime interpretation mismatch for dispatch wrappers: - analysis resolved an effective executable from wrapper-unwrapped argv, - execution could still run original wrapper argv semantics, - safe-bin short-flag handling also allowed unknown short options in clusters.

Remediation

The fix hardens exec approvals to fail closed and enforce analysis/runtime parity: - introduce wrapper execution planning with semantic-wrapper blocking, - carry planned effectiveArgv + policyBlocked metadata through resolution, - evaluate allowlist/safe-bins against planned argv, - enforce canonical rebuilt shell command from planned argv for allowlist auto-paths, - use planned argv for node-host/mac exec-host invocation paths, - reject unknown short safe-bin flags, - add regression tests for semantic env wrappers and parity fixtures.

Fix Commit(s)

a1c4bf07c6baad3ef87a0e710fe9aef127b1f606

Release Process Note

patched_versions is pre-set to the released version (2026.2.23). Patched in 2026.2.23 and published.

OpenClaw thanks @jiseoung for reporting.

Database specific

{
    "github_reviewed_at": "2026-03-03T22:23:45Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-436"
    ],
    "nvd_published_at": null,
    "severity": "MODERATE"
}

References

Affected packages

npm / openclaw

Package

Name: openclaw; View open source insights on deps.dev
Purl: pkg:npm/openclaw

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2026.2.23

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-796m-2973-wc5q/GHSA-796m-2973-wc5q.json"